gh0strat | a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

Resubmissions

24-11-2024 12:07

241124-pat21syme1 10

24-11-2024 12:04

241124-n8pphsylht 10

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Size

328KB
MD5

547b878574ddb23538a8d3409ce702b0
SHA1

ede7adac69f17ed846624c8942e5bdf5a737b164
SHA256

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78
SHA512

966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90
SSDEEP

6144:4eKKtlCCp1fBpzhhh2KNZbBKKKrx90J8GtiU67+arHM:hlBpBBpcKwnON6Cars

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/1716-0-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/1716-4-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/1716-43-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2888-33-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/2888-127-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/1716-1180-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
2804	DesktopLayer.exe
2888	Ysgmkcc.exe
2832	YsgmkccSrv.exe
1940	Ysgmkcc.exe
2412	YsgmkccSrv.exe
1996	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
2888	Ysgmkcc.exe
1940	Ysgmkcc.exe
2412	YsgmkccSrv.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2D440D3-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2D440D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C3B8C4D3-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3B8C4D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2D440D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2D440D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2D440DC-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3B8C4D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3B8C4D1-AA5C-11EF-8B64-E6B33176B75A}.dat	iexplore.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fd-6.dat	upx
behavioral1/memory/1716-8-0x0000000000260000-0x000000000028E000-memory.dmp	upx
behavioral1/memory/2964-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2804-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2964-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2832-42-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2412-137-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2412-145-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7E25.tmp	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px83FF.tmp	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7BF3.tmp	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438611952"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C280F0B1-AA5C-11EF-8B64-E6B33176B75A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070b00000018000c00080008009500	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecision = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecisionTime = f0bdf086693edb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionTime = f0bdf086693edb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070b00000018000c0008000c000b01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 06000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 90755e85693edb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070b00000018000c0008000900230300000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070b00000018000c0008000b00ee0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070b00000018000c00080006005d02	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 30145c85693edb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
2804	DesktopLayer.exe
2804	DesktopLayer.exe
2804	DesktopLayer.exe
2804	DesktopLayer.exe
2888	Ysgmkcc.exe
2888	Ysgmkcc.exe
2832	YsgmkccSrv.exe
2832	YsgmkccSrv.exe
2832	YsgmkccSrv.exe
2832	YsgmkccSrv.exe
1940	Ysgmkcc.exe
1940	Ysgmkcc.exe
1996	DesktopLayer.exe
1996	DesktopLayer.exe
1996	DesktopLayer.exe
1996	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2948	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2692	iexplore.exe
2528	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2948	iexplore.exe
2948	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2692	iexplore.exe
2692	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
2528	iexplore.exe
2528	iexplore.exe
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2964	1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1716 wrote to memory of 2964	1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1716 wrote to memory of 2964	1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1716 wrote to memory of 2964	1716	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 2964 wrote to memory of 2804	2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 2964 wrote to memory of 2804	2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 2964 wrote to memory of 2804	2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 2964 wrote to memory of 2804	2964	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 2804 wrote to memory of 2948	2804	DesktopLayer.exe	32
PID 2804 wrote to memory of 2948	2804	DesktopLayer.exe	32
PID 2804 wrote to memory of 2948	2804	DesktopLayer.exe	32
PID 2804 wrote to memory of 2948	2804	DesktopLayer.exe	32
PID 2948 wrote to memory of 2876	2948	iexplore.exe	34
PID 2948 wrote to memory of 2876	2948	iexplore.exe	34
PID 2948 wrote to memory of 2876	2948	iexplore.exe	34
PID 2948 wrote to memory of 2876	2948	iexplore.exe	34
PID 2888 wrote to memory of 2832	2888	Ysgmkcc.exe	35
PID 2888 wrote to memory of 2832	2888	Ysgmkcc.exe	35
PID 2888 wrote to memory of 2832	2888	Ysgmkcc.exe	35
PID 2888 wrote to memory of 2832	2888	Ysgmkcc.exe	35
PID 2832 wrote to memory of 2692	2832	YsgmkccSrv.exe	36
PID 2832 wrote to memory of 2692	2832	YsgmkccSrv.exe	36
PID 2832 wrote to memory of 2692	2832	YsgmkccSrv.exe	36
PID 2832 wrote to memory of 2692	2832	YsgmkccSrv.exe	36
PID 2692 wrote to memory of 840	2692	iexplore.exe	37
PID 2692 wrote to memory of 840	2692	iexplore.exe	37
PID 2692 wrote to memory of 840	2692	iexplore.exe	37
PID 2692 wrote to memory of 1376	2692	iexplore.exe	38
PID 2692 wrote to memory of 1376	2692	iexplore.exe	38
PID 2692 wrote to memory of 1376	2692	iexplore.exe	38
PID 2692 wrote to memory of 1376	2692	iexplore.exe	38
PID 2888 wrote to memory of 1940	2888	Ysgmkcc.exe	39
PID 2888 wrote to memory of 1940	2888	Ysgmkcc.exe	39
PID 2888 wrote to memory of 1940	2888	Ysgmkcc.exe	39
PID 2888 wrote to memory of 1940	2888	Ysgmkcc.exe	39
PID 1940 wrote to memory of 2412	1940	Ysgmkcc.exe	40
PID 1940 wrote to memory of 2412	1940	Ysgmkcc.exe	40
PID 1940 wrote to memory of 2412	1940	Ysgmkcc.exe	40
PID 1940 wrote to memory of 2412	1940	Ysgmkcc.exe	40
PID 2412 wrote to memory of 1996	2412	YsgmkccSrv.exe	41
PID 2412 wrote to memory of 1996	2412	YsgmkccSrv.exe	41
PID 2412 wrote to memory of 1996	2412	YsgmkccSrv.exe	41
PID 2412 wrote to memory of 1996	2412	YsgmkccSrv.exe	41
PID 1996 wrote to memory of 2528	1996	DesktopLayer.exe	42
PID 1996 wrote to memory of 2528	1996	DesktopLayer.exe	42
PID 1996 wrote to memory of 2528	1996	DesktopLayer.exe	42
PID 1996 wrote to memory of 2528	1996	DesktopLayer.exe	42
PID 2528 wrote to memory of 1868	2528	iexplore.exe	43
PID 2528 wrote to memory of 1868	2528	iexplore.exe	43
PID 2528 wrote to memory of 1868	2528	iexplore.exe	43
PID 2528 wrote to memory of 1868	2528	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
"C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2876

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
"C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1376
- C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
    "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe

Filesize
328KB

MD5
547b878574ddb23538a8d3409ce702b0

SHA1
ede7adac69f17ed846624c8942e5bdf5a737b164

SHA256
a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

SHA512
966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfbaf00e2c42ff9dd2e66f8cc4548c7a

SHA1
e7c4e7008dbb836587ae03677511a04c33c9e8b0

SHA256
7f191c2a321a0639f04709084136945f54f6f827d3f4f3bada638fb91ca7de28

SHA512
ed4c904caaffedf4e429714968ec83a0499f57e2cdbe90216bef3f68c238a5a251e791c2c47631217657a8e286bac8017601069b3cc35a6f1c802173b1197779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b459ba5b69768f95b7a9bb8be5d592e3

SHA1
f06eb15dc3ae145e04d5cc133d3dcd496307febe

SHA256
1bd05d4dec1d87ea94a8b0a9bdf2b7853a528d6f4249c348a334ab3574bf7473

SHA512
756f767c5025c9ee0c469ee030ec580df9477bb48f69d7a704305f220b65667107c4d7d823258214dd0641e37472c3faeba05fe1b4c3a031fd4c6e6cf7e2ce7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
320b53bea51169354ee69050b635a209

SHA1
826c547f6af9a25b7a8df6c622f8b1626e404077

SHA256
f96f8672ce765c76b17e3271e75fa56bec9f7f15ecb1aea97bcfc424a9089f36

SHA512
4d0679403055de5bf02b41ef8b09e6377c8085a8b4bb3f25e0dca683d4b3b5eba07b4261f1c58cd381886b5ef6dcfbddef8281e018a8c05f89f0ff6a2d0cbd7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da4b46985744531ecb33a1676adcffc8

SHA1
72bf683a4569b1a37163501add00c4ecf87d309b

SHA256
0a39ae962925c13374e96820a0188749a642583ca82ff9f252a2b81785768c68

SHA512
c3b6565a1e6d5c8863143f4a0d07a106cd112500b5e15e6ccd2fd02b69dac92fd2de695654ef4046fe80432ef53bfdba8f5930e2065a50680173ba208f44c98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69ac9a1473a6e84cb9127518c51102a7

SHA1
45b98b4c6210356690f3b5bb956add01329f90fe

SHA256
9028a4acd81ce176426520077d5b43b555fb6e0bfbe52e4b70d376bcc35e182e

SHA512
1ae11d46a74470020912acbe5ded2b4c4ebeeaae555a7332200f33e48b59d0ea82a2f5b326d772d23e60e635cd9bb3931b34f81dd4dab6078dce5a4d9269c68c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77cf646acf576c5e510080cd631f0e18

SHA1
0d049e78f86badc9e9505c804f9ca62c0cac0edc

SHA256
47707f9daee814807e21b910bf17c59f27e636a0ae138e0b7e12fb7d9975fcc6

SHA512
87551aa2f63934325ce75cfa386ed961f84b87b64cd8b46d5f62c9da2d21d9994248b2f10cf569c25599d31db50f6c038d89c2651a495ebd888e5157e1a02aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14bd7021b71c95f432a0e679ab1f6b0b

SHA1
cd754863120a31834fb032e70f501d5314c3ed91

SHA256
dda5f9a660dd74111880ffbdb8d3e5ecd405d562be335f35827959f682adc955

SHA512
8612bfb63760c501e2e0ba4defab20e8db0ef0379dcab757231e1f7fb61812c96c9210e33eb4ea38059b09c17e554e5be582ecf33202d3ebfd4c6cf589988ada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
386fe26564e4a21a251ab6f164126916

SHA1
b6feb01be2033fa6c3c9f128f16f0ceb3c2eb077

SHA256
06b483dcc73045008f1bc2c1d47e77e81ba0468256ca16f609ffb2e536f16a55

SHA512
10b01fc8e5881a927dc0d31034f091a2e8fe90b55ee5a2b482668aeeeae8a2e3f0887bc04834bb81e5258c6967cfbba7cedaec71d1cd00f6f8403d44804b22b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b165efb85274b0ac493f8347ea9385c3

SHA1
d822b939a47998a34baccee2158f2887e771ec59

SHA256
de7a66699e2bbd845c5a437ce79b3f90447c153101a91e996efb4214e4df19d7

SHA512
9fc936c4892ce71e1408549ca2b1521fc255cba2650a885c7116d778f9258e5854d301948b5a865670f6ac0b8e295eb8f3476b3bbbd02d013f7cad4b4fa84d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2159c41cc038e131d200e02c6d6c18c1

SHA1
2687eb6b017b42295c0b0eb949eb05d6c290ad71

SHA256
019b39542bb9146268a10261d07ae26a83569c02eb0e607275ec08c84f5c7aea

SHA512
4ada48f6a5eca8474e485df3cf92211feeff5d5c55dbcf66dc27cff1f7c481697768d266fa5c06ba43c6afb5ca4d99b7a6ac3ded11afb966823d4cef0d488485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54f718ebb82eafb2d07c4f5d5f889052

SHA1
953756cf370a0e004baca7ae1089f9949494a03e

SHA256
4011e031818b8493d2c432173383ecb6bc86f27dad48e2d8476b7b5695fdb2e4

SHA512
73377d7f5ee081e424bf5f34fd9899d77af9e2777683f9d6b58b50a1d098463ec219f89f36a0b95f0beb650eeacaf983e0996bf7854bcb9c1e773ae609188162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0a137df485ca020d927e7bf4c3be33f

SHA1
72e8b4a3edfb47251bfead59d8ae424d29054406

SHA256
6e5526b0ff6b9f35ac943279d3bc3d517e6756e3c81deed8df875565c87261d2

SHA512
db8158ece43e7c0e76044afd214ae420dff3fcdce2ff5227e169487c3510b8a6b3d266efa97922d792cc38a743b1206bab5af0f12e869f7d2fb8ebc2bc790fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bdcecd946490aebfdf5cc99bd4f6b43

SHA1
0fef3c99ccccdea903effcfb970c9e342939ffd4

SHA256
e206ae99471629ed940dcd02108f574d0e5713c611699e05bea7c26c042b7519

SHA512
85e951a04ade83126f1e0c5c2bd01c09e4f62b4fdb71dbf40f4dac30cd6ed00a70b75d70beb06f2949af3bf2e2d99deeb071c18b960d7382225e4b51fe6f65bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00d0771387a2309d8eec214cb5fe0fce

SHA1
08f6dbe308c577ae156d97beeff11fb3a8162306

SHA256
4d40b90512829f49fb731b09c208bce13bc364373a7c61f57b436b180652e3e3

SHA512
69c9bc883ab0c565152b86bfac51b3bd1fe041e8c2df9d5c3f2ef538a7a92ffa12b3e5b63fdfca226709c088b997c666801a3973fbf5f1b9a6b5420eee0b5f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d6786669123d64dbe9b4905f3ac9037

SHA1
45290e102f0fddacc378790a47e4743dcd489ddb

SHA256
16dd5d3de47377b765713526d9e3215be33fc4e934d0eefae5ad97863bcc4701

SHA512
47c3366253473b442d8e8cbdc544f05df72eb49d537d27c78244af163b7290f09d92d785ed0b6703705d7fc9d196104a20d596bf94347b30a3e3480bec98f2fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d644891aa49b92fcc79f72ad3de613e

SHA1
4ddc3849ff8f37d93b39d47229373712168429a8

SHA256
dbba682092e73f610ab889d3f928bc158f9d73c440b94fa102459f3972fed9da

SHA512
895f6391769a54c39511d4375a32e62de692faa70896ead70201f007c58d3abca23aeff6f89ab0550c06eb3f324257f449e723668f0a17300fb340e15e41b346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1875d41e0e370149a76ffdcc44f60fad

SHA1
db54d303f889126bf9b424277f763db92077079f

SHA256
c4df26778cf62c13f36b061346f791e08f20c6a8504f0759744a317c5b44506c

SHA512
5313ced8c4b046d33d3f7d9218921dcbb15bb4e00ef92151daa5164dbf2c1904c268bfddbc1e3fc6696878771418697d80776d7a0feab49c5d25eb14c6b6ad11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dac154c2f3d65254290af2472c713f7

SHA1
fcb1592e42462249a69406e0d0988f2a5188fe0f

SHA256
eed5ec52734e05e6be8bc5eb87b905bffc6d2a05e6bcc730c404447bbeb44962

SHA512
896a9421b292857c5e77754f64693c5c5442cd5aa0e9be0c4fa90b54e8c190233b3afbd4b95640b01fa948108e1ce4fd57710212a2babedea933bb8ae9e8e39b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36b5c38eb211033673430688b39ed636

SHA1
80c5d7eb51d671ac933fb295008f5a20abac9474

SHA256
24face55b7207aab4cb9e68b997807c0bb8cc3755b8086a5715d2e49af1b76c6

SHA512
b963001133dbbe3c3cec244140c2a1f4bdd234fc3de303ac1451477e4cf71f1f13d07600f51b4b20bf31d0647f72ca2d3c8a6c2f8180616b0d065855dce4bc95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3a1b590536cacf1d8b67a77b51637fc

SHA1
da17f70c01d2bd19f010c46fbbdf0c9a3e2f83f7

SHA256
123f9010e691ec7ea3972afb22ed1c94c4f4b80afe2bfb0b4ace4031287b0f5d

SHA512
db3bbd95f22ff539dcc886a7090fced31d23b28a6db8ef36859ee26c0c9913ccb52dc93dc75fd02f81a5fd2c52f9a3b899c4b559b613158b35aac17ae186c9f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
48ed4620078d83cffd1bdaf0069a41d6

SHA1
163e01c289a831cdaaa3c0723b9246809fd57777

SHA256
1c651f20cb2da051f034e10b79b1ec7497b655db5662db799f6eb5fc41c7ab86

SHA512
ec427384acdaf4766be42de7f0595ee948c10acdeb90d1fbf6e218f1bbea81d649d184f2cc749a74e9b582704e4820b9c20de181fdb5e5283457f1c6ae7845b8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
682473f47e69c21352ad4f04a70d6c78

SHA1
321e547c29afd051a7b68937fbfd7e2e35a6c7ac

SHA256
c3c09325d3fc7993a931b469bcb1b4974e3fbe5d6da8ba414eb9b9727535743b

SHA512
1966de10ffb0e9303397bc00e8624c498dc3768a6530a283988258674d785108840dd0efe11fb35a74abd331ca2b4157713fd8fde8e69935e03d049e5fb5a1ab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62f2259915242b248859c4df511880c7

SHA1
e11d92f5c399891765304cc0e91cbc8a1b33dde6

SHA256
250bfaf433f6a0e511ea5908097b190a69ef562abdedf3a3d5b4fffba7f0693d

SHA512
dc2e107d55927ee0b8249987c3b5a27f2c0049e3de3b55e80550fea84fcf97455664d0c9c0725d43aa5fe336f7cdb7f43e067a75380b02a3dc50671a1b0321f8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb1d4595e294d949b2a672df8c4d7ee

SHA1
4e6ff31c0b2d1422079c8f10f8366065be840ae7

SHA256
6cdbc43fc54d1f9a73817154132f1d520de7d9b3da422514fdc06b4c44e31bfa

SHA512
15e61658663cf2677d624d1598ba5456a725ca541a464d61255fc5c0854dcce922f5c4d779c51fd36deead019df77facb35d264bbf0b4f8f55cd596597a56120

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9308aa0a5eceb55caf5c5cad2c56726

SHA1
c6ed7c31359cd852ae969670fdef15c688351ece

SHA256
bfb7076e9a54b4560e5f74092c7b3664147d1f908ded000eec59559ff041b512

SHA512
70efcf3d66ba77c6d9b62bb4f93b6a0572273e8ff1a98cccbb1a723d81dfd5e16785fcc7af7df6eeddb673cce53127d6047bc35f885bf71bcce015626fe40f7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39e7e560e61ae2331de094cb6ca7b0ee

SHA1
974791646aa30d0a149979f0a0a8718d1860b1f4

SHA256
2a72601c0152c88f0c56dc27a4148e385f7231ec227ed98065fa0a8a85f5db56

SHA512
c6464b7959cf0e4b8a16a4cd1cfc257a7a81bdc9e3c015df7507ea49e36073436a77086c57b31397214e615d0a5a2526504a028e6668c79c29648c1577e1aa9b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc0574feb0d434b03dc1abddcaa9cebf

SHA1
cf8ebc5adb1fee0c574159096455db50b2820068

SHA256
b98919c183912cf54173e2f775755c78698e6c62b0026deb9a10a93c761e07cf

SHA512
bcd3e896127440fcdfab8d67112b40e55798e54530443ec1e018b15c281cabc040c05c99cec0ce5c157f4a28e2fcadfe482138abc16dbef5e11d56fe62437f07

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abd7cd706385fac843d219a41fe0b2ea

SHA1
991010e8662e93d0b0f88ffa52b629fe1d802615

SHA256
6dc0603519a75258dbc74056d311ac2e3dec3d8e3fc3f1cc2d3852d075e8ec17

SHA512
926798c986224917d83c174a1ca37401d0e8389f33cfc312e1ecad6365c6886f4d690bda3d0ca05e76cd4fb7c1922e25ed703f9cbb855986d40d49ea6bb5b9c1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f19961f9e39786afbed779b01ccedc5

SHA1
165c887593811e6caabe80b25b81667dd81866c6

SHA256
2eb8ad60165ba9185502db0fa92f40ee58cdd5e678f031defb1865a371daeb8e

SHA512
b152a395200fed017d63c891e69b12a269059227413d561a693e07257ecf7d6e4ceba79b664dbeb56d5d6fd07fb770ac2279241535da2c740256bad88577df43

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a822c5b57f562703f7e9bde5a93b3148

SHA1
cdcfa1f4190967c5404ade620d94c882bf028ab7

SHA256
381a433bb62a057caa3d300f8c612088361b4f1715d650c7e220d0bc60e55800

SHA512
e7619518e4d7c5ad4e6cf97f322c579e5f81d8ce614bb2cf38756e35b702cb3931523e2f2a14fd7729ea7914c9eee43ae7dee8f914ca43a08d3acdbab9cb85fa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c123ec7b9eee3395e98b006c2db94db

SHA1
b0df44fd2282e22d220c38096558c76c051797ed

SHA256
eff38420fff73de38697af0153bc5ca9ba813144e6c4e65377f69ea4ae3ef66c

SHA512
9f223663437ab73c1aea9c3e9abb9cd31c05f69a73d0ca18797ad5c74a07a26b742e2e1dc221b6ceda5f500b46cfde1b6e656931d74751fe2dbada3d4c5fd605

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afcfa21db8bf8dc5f072a8a841ab32c3

SHA1
a12ef64a9e7afb7814bed95e0be4d863f6adb18b

SHA256
3860b7821a6611eee3740158f40951fad9ecb3c9e4c4218dcec292c437c2ffa4

SHA512
feb7c7fca1bb137643cf291c5850b0ec12b18b8bfea32c52ddca5510ac7f9ae4461c37a96cabbc32c983e332236fb32b1355c86bc77a32bb47cf9589c11ca76e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a326aa6f33384b499fbed8117939107

SHA1
8f60c5ee799877d60a7efe2a9569986fd866f7e1

SHA256
3701fe8c6d974bcae4cd1efed4166c8b537ca7b53013b709bc0b1fb064406442

SHA512
5c313eaf2d8ad3ef8e2d0b6577ecca2e10f4fde3252cd6a4dea15c7feae4fc3192ff0a0dfb601cab6bde7c947d97f72f1363df146dcd369a78cb1d1f99491669

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7d1418340b499e7284bc65b7cae6c9

SHA1
4e13340b1052681453f36af1372605d856f91e47

SHA256
03dcaed7d5880cb930da542ef9a2c67f625a778adb243eafee3aebac66e801e8

SHA512
14d19529c970bf30c8033a22a44ac9ce9624a1cdf63ac38106c7dd0263d896f58f8b2cbac926960addd2a175bfd5664ff5768da20999329a7d9e211176d52c1c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3c867bad407a8da38dee60b9e151bb2

SHA1
2a35a445b8de1897898dbce78693b3519d7c3359

SHA256
34be7b596fcdc47684aff6369f444c1f16ef1fb926a8421fd80cbba36075354e

SHA512
3b2f25f0953b0b492a9a5f95b2e2649ead6186c6cee4c7448415fa392c33f8321aa2234040a43e21f5671b6964b24f615e00a89ea73ab8cef752d6101b211b27

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3d226e39aa512375a16c91c620cf61

SHA1
a222284c53c6368acc394d11b78dee610fa710c8

SHA256
20f9227dd6dca1f22a0f05924d5a3bb470a47406be0840cac2f934c608a1a1de

SHA512
f7b1ece5846203c59d5578fa3cbe4b4bc16fd0b0800eeac4ed004c72d60b1ea90668226539f0a34bd11ffbc871e1f993ccb71f08181bf453a1375b7a3f9e2e9b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab453436eafc9f04ab8d886d970aa586

SHA1
a9782838186f0fa4475310ee9f4d3b0e1f0849e1

SHA256
c3af71b6208604731b59dd064bc1810a9dabf7c5f575a154f4c8183c11bd8d24

SHA512
1e8035ff9929f697d9ba8d50e0ce45e2cc918a172381b1f8c944b8355b16c9e1f683634a5e75e7480f7c21fb1d46bbb038be83c520f5e92e2d35e5fc7026b872

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8c07118033ca6e80786dcc97b868c6c

SHA1
413c32562a4e200cc0ae4fb1bc251e1cf7cf0e15

SHA256
eeecd41a94205bb906c419aee399a626d566f0ab31432fb29ca22d155e067abe

SHA512
7dc7d275373139bb10599e6ec63d936acf650c2734102f3a8d3c2bb54d38f42c3378e219b9f5683730fa9ac8efc930fd50245ef1de929a76319f07b6ed783ea4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
081df5b75039ca1e88bdcaa2f738a1c1

SHA1
854c7eab1774995a7917537ac4d9d50e42334aff

SHA256
2a6cfe0ac4302e62bfb275788c767a8e46c6496491022afc4776edf4871df1cd

SHA512
19bfd2f23e96105446e741c60271786c8ea529d2de86229cd3586b73b02622fb55698c8574cb1e9402405151f2fdcf1edf633b38001ec7288d6c0d69d020cfcf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab8AE6.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar8AF9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar8C37.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www7FF9.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www7FFA.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2D440D1-AA5C-11EF-8B64-E6B33176B75A}.dat

Filesize
5KB

MD5
d6ea2170eb91410f844d2ec1748134d0

SHA1
ad0fe5ca5b5832028d8f57280c25d1a43bd324a5

SHA256
6826fc0a3c55c88f876456d2de44c465787d6b67ac16053e7cdd748c6edb97a6

SHA512
9a03b11ca2dbbd37bcedcde57d3e432a60ba2f9fb43dfcd4f00c9f107083da478bff81e1d2b161e0b10af604c190e347f34962d64d4d4781c6d747fcf9907f7d

Download Submit
\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1716-1180-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-4-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1716-0-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1716-8-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1716-43-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2412-1181-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/2412-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2412-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2804-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2804-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2832-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2832-42-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2888-38-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2888-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2964-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2964-13-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download