gh0strat | a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Size

328KB
MD5

547b878574ddb23538a8d3409ce702b0
SHA1

ede7adac69f17ed846624c8942e5bdf5a737b164
SHA256

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78
SHA512

966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90
SSDEEP

6144:4eKKtlCCp1fBpzhhh2KNZbBKKKrx90J8GtiU67+arHM:hlBpBBpcKwnON6Cars

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2336-0-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2336-5-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2336-9-0x0000000000380000-0x00000000003AE000-memory.dmp	family_gh0strat
behavioral1/memory/2360-16-0x0000000000230000-0x000000000023F000-memory.dmp	family_gh0strat
behavioral1/memory/2792-36-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/2336-39-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2792-131-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/444-140-0x0000000000560000-0x000000000058E000-memory.dmp	family_gh0strat
behavioral1/memory/2336-1040-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
2308	DesktopLayer.exe
2792	Ysgmkcc.exe
620	YsgmkccSrv.exe
444	Ysgmkcc.exe
352	YsgmkccSrv.exe
1940	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
2792	Ysgmkcc.exe
444	Ysgmkcc.exe
352	YsgmkccSrv.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{285285C1-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{294C7623-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{294C7621-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{285285C1-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{285285C1-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{285285C3-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{294C7621-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{294C7624-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{285285CC-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{294C7621-AA5D-11EF-BBB7-C6DA928D33CD}.dat	iexplore.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012272-10.dat	upx
behavioral1/memory/2360-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2360-19-0x00000000002C0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2308-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2308-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2308-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2308-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/620-47-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/352-142-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/352-149-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEE16.tmp	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE4E3.tmp	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE7EF.tmp	YsgmkccSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27EC2AA1-AA5D-11EF-BBB7-C6DA928D33CD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438612123"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecisionTime = 808812146a3edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecisionTime = 608878ec693edb01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000000000000006000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070b00000018000c000a003800a103	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a6-f7-50-57-44	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 06000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070b00000018000c000b000300bb0200000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecision = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
2308	DesktopLayer.exe
2308	DesktopLayer.exe
2308	DesktopLayer.exe
2308	DesktopLayer.exe
2792	Ysgmkcc.exe
2792	Ysgmkcc.exe
620	YsgmkccSrv.exe
620	YsgmkccSrv.exe
620	YsgmkccSrv.exe
620	YsgmkccSrv.exe
444	Ysgmkcc.exe
444	Ysgmkcc.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe
1940	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1960	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
2548	iexplore.exe
1728	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1960	iexplore.exe
1960	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2548	iexplore.exe
2548	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
1728	iexplore.exe
1728	iexplore.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2360	2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	31
PID 2336 wrote to memory of 2360	2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	31
PID 2336 wrote to memory of 2360	2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	31
PID 2336 wrote to memory of 2360	2336	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	31
PID 2360 wrote to memory of 2308	2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	32
PID 2360 wrote to memory of 2308	2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	32
PID 2360 wrote to memory of 2308	2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	32
PID 2360 wrote to memory of 2308	2360	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	32
PID 2308 wrote to memory of 1960	2308	DesktopLayer.exe	33
PID 2308 wrote to memory of 1960	2308	DesktopLayer.exe	33
PID 2308 wrote to memory of 1960	2308	DesktopLayer.exe	33
PID 2308 wrote to memory of 1960	2308	DesktopLayer.exe	33
PID 1960 wrote to memory of 2948	1960	iexplore.exe	35
PID 1960 wrote to memory of 2948	1960	iexplore.exe	35
PID 1960 wrote to memory of 2948	1960	iexplore.exe	35
PID 1960 wrote to memory of 2948	1960	iexplore.exe	35
PID 2792 wrote to memory of 620	2792	Ysgmkcc.exe	36
PID 2792 wrote to memory of 620	2792	Ysgmkcc.exe	36
PID 2792 wrote to memory of 620	2792	Ysgmkcc.exe	36
PID 2792 wrote to memory of 620	2792	Ysgmkcc.exe	36
PID 620 wrote to memory of 2548	620	YsgmkccSrv.exe	37
PID 620 wrote to memory of 2548	620	YsgmkccSrv.exe	37
PID 620 wrote to memory of 2548	620	YsgmkccSrv.exe	37
PID 620 wrote to memory of 2548	620	YsgmkccSrv.exe	37
PID 2548 wrote to memory of 2632	2548	iexplore.exe	38
PID 2548 wrote to memory of 2632	2548	iexplore.exe	38
PID 2548 wrote to memory of 2632	2548	iexplore.exe	38
PID 2548 wrote to memory of 1324	2548	iexplore.exe	39
PID 2548 wrote to memory of 1324	2548	iexplore.exe	39
PID 2548 wrote to memory of 1324	2548	iexplore.exe	39
PID 2548 wrote to memory of 1324	2548	iexplore.exe	39
PID 2792 wrote to memory of 444	2792	Ysgmkcc.exe	40
PID 2792 wrote to memory of 444	2792	Ysgmkcc.exe	40
PID 2792 wrote to memory of 444	2792	Ysgmkcc.exe	40
PID 2792 wrote to memory of 444	2792	Ysgmkcc.exe	40
PID 444 wrote to memory of 352	444	Ysgmkcc.exe	41
PID 444 wrote to memory of 352	444	Ysgmkcc.exe	41
PID 444 wrote to memory of 352	444	Ysgmkcc.exe	41
PID 444 wrote to memory of 352	444	Ysgmkcc.exe	41
PID 352 wrote to memory of 1940	352	YsgmkccSrv.exe	42
PID 352 wrote to memory of 1940	352	YsgmkccSrv.exe	42
PID 352 wrote to memory of 1940	352	YsgmkccSrv.exe	42
PID 352 wrote to memory of 1940	352	YsgmkccSrv.exe	42
PID 1940 wrote to memory of 1728	1940	DesktopLayer.exe	43
PID 1940 wrote to memory of 1728	1940	DesktopLayer.exe	43
PID 1940 wrote to memory of 1728	1940	DesktopLayer.exe	43
PID 1940 wrote to memory of 1728	1940	DesktopLayer.exe	43
PID 1728 wrote to memory of 2204	1728	iexplore.exe	44
PID 1728 wrote to memory of 2204	1728	iexplore.exe	44
PID 1728 wrote to memory of 2204	1728	iexplore.exe	44
PID 1728 wrote to memory of 2204	1728	iexplore.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
"C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2948

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
"C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      PID:2632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1324
- C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
    "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe

Filesize
328KB

MD5
547b878574ddb23538a8d3409ce702b0

SHA1
ede7adac69f17ed846624c8942e5bdf5a737b164

SHA256
a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

SHA512
966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e29e9b0500535cd9775bdd729bfe7b6

SHA1
c46ad4d187501c0b00ccb7206f7587d2565e1dab

SHA256
9d7ed0ef7747aae8df3b6730e24f1c6ffc2b035212fdd8fbba9cb8a19d5ba4d8

SHA512
5d30cc4ef5b61f0e9a8284940f20e410cb9b1a65d9904961fca0f14b3510f5134f9ea6ccdf427e964d635c346f44484ce80631ae5f762ab411b6c5e73f1a81c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b2a0b0c9817f353e05cc886e82d181

SHA1
449826de0fb8eb62c2751dc4c650b254881eb588

SHA256
063ab43087302f6699206ab14e1e746be2b7d05c7a5aacac4e4fb04f014d93a5

SHA512
8fbaa2f89b3278f907173a8016e5c84a5ff806dc5f8e32a4a41863571f8e6386bd961c798763027a49181f1b1b189ee980caeb09eb2243b2781ccda5208adddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5096a344e901b9d649a3f8f3a9c786e1

SHA1
ae989fb371dde64db0c09b4fa0e2efaff4758336

SHA256
6f0d1dc342411add743d32533adc5920a2fa568309e76570e28315120a7f8e53

SHA512
5b6f2190009deb8f13dba9ab7d18399733a74ca9074db91bd659e982172df0833bb5048dab3bddcb29349528e20a02aee11af14bf1142a38fe6e02976fff31d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8acead69c0fe9f1b182af155fba5f50a

SHA1
c2a31e5fac4f92592ed3cf63f43ed3864e0a980c

SHA256
2f4a4489e64e1d9e27b45f1dbf4d1ca6a9dfb6e8dedf98398419b821d522ce4c

SHA512
feb060f371fe12e652131881ba873c1998539d40caa313e136f15975746a28bce3b18351213a505261cef13b35d2ff6fa53b5835f909d903fa320527e705657b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67e6432ff006a7e0f0de0f3cad2d51b1

SHA1
4acc3ba5a63994c950c224f5bfaabeca595bc021

SHA256
e90775e25e050faad151a5af935a9378847b9e472d12b9df3d9c7c68749ee0b9

SHA512
eeee42f2a98408d4f131412487009b1787a2b0b0922219039c6e0a0306afa6e1cfc1f0c123793faf12019491ab81a46a864b2ed4363ec9de627bbf9025e593ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee4fffb4feb5b3b5b866462fbc1b00e

SHA1
c0469bb4a1977a6baa209d2724ea380302db985d

SHA256
5ff9e073d2c9c5f87153d3ecdb49193b808ee8e2faef816ec22f6008f3454edc

SHA512
e3add4aed742268d43b7265d8dfe4cb1e8455f23afa287fff7b8cea17db29f1c5d6cbdf8707ae964979be512274541fcbe04e0953d77bc1b692e8996a940d7f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2508058f4facf7f1342d63dc652481c9

SHA1
c8418f57fb6f0d7f429ebfd7da406ed5015be4d0

SHA256
168bf478fa935c3e53d1aa4e4d6cee8dd8a789e005c406fdb67f636a87b00b7f

SHA512
51e1784fb3e185075e4c90f24a7e43ec491168f9949bd0c9d1e94849bfeb22be6856b00e883f60d6b997b94bf7b8d6502aa36151ec5749e53a038160050443ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee0e8d412f2693a72d063a536c1bdd37

SHA1
2a3952bcc4ba9b4d282c189123e7d3765bb77b31

SHA256
ffbf108a15f1bc9c78e61d50cc1ac4fab3565d827e7fc0cd519c85fe17df6965

SHA512
f05e16855844c06adf693f66e0e8d9d4cf959e8a489c04e92fc9d8d95304a65b23ffe9142e7218361c2ce85bd746a0e46eaa5e0ac92189a65288ce57430f03c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb9b93671d1998a9cdf6e2891aafb5f3

SHA1
0663d7fec31280ef0f240b70e04c3e5882ad7871

SHA256
9eee316db195f376af6147b8c325a1a43d1a00efac8aedf9cb4c19229a4aeee2

SHA512
b85a79ec7326271ef099100217f7c993723bb83875d23fb236c4c05b47291a83378dc6ec2eab89a75a41d4cd3d52cfc883fbf7ddea69ed730b461e8dc7d6a0e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a5ca076f5a0624109088002a7c3d33

SHA1
650c321726da15ad5819f3fe83e771aa2daa84b5

SHA256
0dd4e76043794553405ea89043ae5dfa12d2d31e7b44c0815337a92c30abc31e

SHA512
d523c0b540dabad9e09c0e3b890a3f4ba8cd0d58410f6c51519d18f5df443afabf8b067807442ea55f94a21f9bdce407ff72cea24fe5df497a39d5e6e1492445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176c4c0bbe78a34abaff555caa1b3e03

SHA1
278c9ea79ecd6fa9f9c9e39dc4eceeb63d8b9eb2

SHA256
6af1138703ed5689f25a3266f9b082e403585454025a66452c7c8b2ffa680c5a

SHA512
26dc4e0d1362f02a2fc1cea95f93d0a9cd6aa2c4a4af1a55cfdafcea43f65dccbbe60cf2cdef1db02422e7b0af8975df2bb0aaef6a2cc16a92d7cb4d0a839075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a23ca5d1f16b0835768356ffd02c319a

SHA1
de43b363992baf814efa519b5ef352d05544127c

SHA256
66a8b7f4d4254bc636e1c9c00e92d043d65e0a10f91a71f887053a393378aa2a

SHA512
62434e9dfc29ed04fca7ce0bb3ec23b9ce37e7c447cc001b16098d9b34c9630b70a52f082237f151e3e13a0379a35c1db1708dd87c82bcf0b736e09e3305db0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf07f2325c1c70732a03ae908fd3574e

SHA1
f10acc061b264c4f30ec83d711cda713db30f40f

SHA256
0f5d68640138c2637792dd477deaad061311b3481d9a4d5078b8fb19e9dc82e6

SHA512
cc4d91dfae53e5a092d726979c31deb91fe577f4922c93028e8f40a32ae2e37b3dc9724394adb26e9593294b7657e76aaf63a0e39a6fdf7ff89c5d82dc7c59df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51cbb7fce1a8c0716a16b05dfb2d1f28

SHA1
1309a56f626b523dc4e8cce6ed974411e0bf7f0f

SHA256
09fb3ea886f94f7920d44536b02eb1b4d0efeefd32c10c8509fd584cb3a85420

SHA512
ef3af09fb54ff4d62b8f0b08de841dc00735052655bff2aadcde41c24e925d5fd16092708548223b428dc02c0b93e760e6304a8aced7554f31c0920a37289912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac4efcde4b5af2a7d92a1859033c0e83

SHA1
be6d385b410d79247592f834ee95e30f1c7c942f

SHA256
d4094f8d3e29fc987816d2e6341e73905a82beb74ff65e027b7852dd76186d2b

SHA512
4b7be47afd005327bff6476c3f04644018ddcc6fae205e548ec42a1e9f64eb10f17930c4f01663e7d1f34c7e83449b4d681441d4842b243b461ae627b915aa7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d944ba6c030780e46d34106ecd17f28e

SHA1
ca71ed63d52a1a528639afccea01e591870b3514

SHA256
b333833eb36aa0b33c349244339c8d8a0f5033120f3a9f0ade76a56bf214dd3a

SHA512
4e4f2c9474b9832ea655d9a2dc13099dfa3bda6a76288d3397bf5de40497c24460ae346389bda319950d112d15cb84d4520e7e0fc32067d136158e2b5de3cf3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f644ed1ae91a766a3b7570af809f96b

SHA1
0898354a3ecf5affb807b92dc87ff917cee147bd

SHA256
6899256036536d9068d03b9f1ce6392d7cacc8e65f9d8d4b68f6e57ae452160e

SHA512
247833ce816f23997f331685e6806c5b7e30735fbf933937952ca93a7be34deae5ef8480c974b8778fefac47b71234696655bbaf045e580953892ab5054f548a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b579da5740d382a2c2259f47c7ee7a1f

SHA1
070424a41c97ecf215279fe7f24d5ea9d9d2257c

SHA256
9e6cde2ed79d991e1b1d665e7d80bff70f3a30dff32035dd1bde8ac214c2f3d1

SHA512
c358da105ad2e6a321031d27617c312f2f9d38678b592fe929d6feed3fbf85fec5b520c03b870ac71d7753c532d6aab5feb924201d1b55b4c4bbf654fe602b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ba4fb0494a8a0cdc621d9fe86ff90ef

SHA1
aa10ea387237349829b03a6785b1a4b3a9346aaa

SHA256
b5e1d548d516525408712fdf4cceecd93d82e846accbe4b401e6087fd7102d50

SHA512
7452db55bd2eefc44cb829825404ae1c782de095dfea596643740b8b6e570d7b9c1f09ab72d9139b88f1483bd3cb8ee42a5c0c74863389062f833259145b5bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85772304a1d0e46c8022bc6e776b9333

SHA1
15e61915ee28d706e093b546ebbad55251710040

SHA256
423300562843e9d18d3e48081ee7ecc3f55ebc3790e1b3025777b308ecbd4bfc

SHA512
f3276cf2813551774f232f4e75f5a59faadbcabddae138ebf06cd11cb086152be576eb149ffcd2972351c89b730f64462433f5468eef3fe03b842e72ef2e1012

Download Submit
C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8b3b17a49fbe73690f0adde999871cfb

SHA1
3edc5800d1c79df4a20a3477946e97000a0cfdd1

SHA256
8663324998aef6168d79e51970525304daeea939362b6400b8ad7ed16728e4c4

SHA512
54be213e2aa547d19de3d9644d2564d3ceaff1c2b6804b23a65b1c23410ab979f14e4d9cc73c6fe79cb111e30fa1ec77d41cad52ec39a4dd2439f50bca596eb2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48f47f0a93a825911116fb203617ac00

SHA1
0a0c8e4a2d92ffc385689e97954491e8ac6faec8

SHA256
fd39fa17a1f10227af866f5c96c89b22af145594b4dc66334231b14c2bcec799

SHA512
4c5f2cfbb8049e7a92f0e9780feb29dce83ed392f9450d6bd5b5129fafeaa1160e46ab37790d8a03a84ec53659e2004fe510639303f641b3027dbaf4f0626f1f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cda32327a6e3905a006ef31ee380aa88

SHA1
113e2f13c8c5b1b231334ce24b4fb2f76ea48ae8

SHA256
8a7be103983dedb0e011563b0f6d14d1d8212d14f4ccde697d066cfde6fc7ad3

SHA512
15881d2adcfbe36c1133e69c35c2f16aff1725cba4ffd8260ce9bab181ddf23380eab73d6800fdcd9881fa7e074e4e6bf1b4d36b000824b117110960133dae6e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44c613b50643b274d78afc53d6b97e49

SHA1
72172f0d80e69ad706a2722570c95ee7bbd2654a

SHA256
6e0a9b2c857626074e3d8c941243bb377c499184f1cd10671668a953c17033c6

SHA512
82df8cce1456afd3debdf5f8d4627340d471f64dc2d320041ca8b284d10dccbc992f5f1984b8cfae968fe82822b1a8574a808097e0c8fa9f2aa3b910f0fb0765

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bad41399979f5e0fb74a6a41edff6047

SHA1
879d95748d5ee7c1f688dbc555584add166bf159

SHA256
81dfe776e2fab9bfdca72b2d107f6f56a0aa8c162bb18ddad9e87a5dcba12e21

SHA512
054cdfc33b0f018f0d7d5ebd40955ba71c28d526d8e83abb825b525e458cb6f301263395006751785adf851bcc96e1cf185b7aae5a33d00bcbc0dcfd23b867a2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1be5ee7dd99e9affbabe8d1dc95739b

SHA1
6f670b51f763d68e42885ec68326bd969e953287

SHA256
ff690b5c72873628b0a8e998c09725eb5479872bf549f210e865d013189d9457

SHA512
c3b7709fe1080887c29157501f46b32b70adcfff8267a6ef6ffb0ad26fd0e9965240b80f2210e00b9858394ccce9090668858e29b2fc876a489607e48443cbb9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47bf05edf673b32f85ff4f22174d4a1d

SHA1
8051f02483e9e02924f48647ebd56c967033d7a9

SHA256
1e9eed4879f06c8fbb0ba2840723b2b5ad525be0647b6d9d9bf34d7cf327556d

SHA512
0c1ab75a78f7286229a22e88e83ba7206faa2dfa3dc05b74fddc3340b3b30fe343d5e6f2cf77fcbf1f686828a8a41bf0f93d29d98c3bba9f59ecb3f459f95fb0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
583b2fac8323b893d36f27eccd348690

SHA1
256c01055d63f808cfadd73b58e9e53e1c1b3e81

SHA256
76af5ef986b296863d0270ecd155e1ec81b27b7c5a67612f95634bb30e53e0ed

SHA512
25078f668257d1f4be1816d88dee0626fd8efb2c94a04c64fbb73abed6eb4c48b1411e12dd0754df68544fdec710f8526d62c010e35ae7bd8c119795064acd8f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7239d50915d762ae57881fec33de634c

SHA1
323084c71ac9708eb221276e8d49b2b646bac2dd

SHA256
fe6331390b3752925491e238b3115076874bc755fd4f5aea328d208e64b630bf

SHA512
1e2a17978cc0525fd5f2158ad58a6829af917b8573bee53732df8912cc623e84f9b3e4972fe066df676f7f96b1273d0861917024ca0bbe17269e6fda00bb6623

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee301fd5224c0ecb6b683c3e9b70193f

SHA1
9bf53645a90a4bc336c7cc3b8e62ba1e50d3fbef

SHA256
ede11398663d8525d4187c621a652cf964c6de539912402e0117121274c93e66

SHA512
2e4d47b84de5f3234f37aa9f0fbc0e2ca45dd389d3e5b9b9af1724483100456690851ff54de7152405ca25f9a1269da62a5f18360aa46931b5ff4ff3d243db11

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
428d5958c94cd9bbd844f5566f747bec

SHA1
17174a833035c8767869b78757eab860c5d2b2d0

SHA256
b3f3efe8235620757576a87df9171217f8a9a0b51544bf1967ae051f03df3074

SHA512
07b5bde3cb7861f4dd53e7cbc92447dbe058003ad83131b284454b2803f05b2861db66a3dc038e40b4c608500b24c0378fea9a8b192f35c57b0ab3057a70d700

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c06383fe0d21d90342d7d090b59fb33

SHA1
415fc49267ebbf640073a6cf5f4d813cf7b3b07f

SHA256
0e21af38552d67f45d6e0154c0ce593763223bdddea7baef667d895e1076f114

SHA512
7a1b8265a082d93d8439797416786f1da6039e5f1375b7383ccf690a6ab3484c2d960ade509cb6f503d45c258d2f8eede25978b2a80b2c01056c24b20ac48d61

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2f81dc94ec571c83874443ea3145e96

SHA1
33b000c610f673c522ae48d1d530c0988558aab7

SHA256
cad6e3d818e0d85c4e80ae9c50ce8435c72055e43d617170b1adb4b4274bc45d

SHA512
4984b47f4d195af1a5b669ea9a194896d2d26648e23b35cabb4361a0456bc8122f55370239a82f91fa5e23b6852d7cec23ea45e022fb74c8ce956c5db60d4aca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb08798cd130a1adbba55f6ad415fef4

SHA1
d62af2a6286092707a616ee20221a5e0661d3eac

SHA256
488e0f475a264f1038f32ea9ee9e68c29b01f033fa25a19b83060dbf71477d64

SHA512
f4014f0f53f9c39f7319f9c2a5c2edb4eb8079fd6146c24d384084a0be4a7b2a4f8f20bcd97f6c6801219fccfc8904d35fefafb717129ffa8459f909628f0b2e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5383ccf3cf3fe6b5cf92f2b842caab33

SHA1
c25b8b70eefbafec00edf833023730de273ecd33

SHA256
37a81dc89193754df9717ce8c7e7bc1b1faf15f1f1649da007a8ef89d8442c6f

SHA512
d223bd1026885084473a76dfcd117120c406c840a301e768807036ef926665702cb6c6f3d650ed36a59c13233002a89717f0b901e370a468047cc90511ce44f6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c91a6c0de993df73d62cb94702194eeb

SHA1
492f40df0d1ea39b463d50916300008cf1b237fa

SHA256
92f886f2340831c62a770980a57642a3a9db3b0dda2a876b264df5ad25eceffc

SHA512
b61f4052220c7792c4f9c3634bb7808d00e7270a089fcfd6e2e01da09cb9f7468687c6acd1b45b861f5a645e51ef1ed73631ddc5170fd3a9fcf05849e11e6cc9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d04098447a594d990cdf8f3023e14998

SHA1
787b70766cdb502bce228c104024cb1699f60ee7

SHA256
19445231b44dfc3f49f62774bcce3f5d724ea377a0f3f42bcc50c02e2a1729d5

SHA512
63d5f1f9445883880172a1b003c49db6477cd36a26791dfa7bb97651cac321387043efce3aaab4287ea1815a8b4474a2c65fc4176d69b6dc31b8312ad18aa51b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
870fd8d1e8a974fd82de70ff21168f12

SHA1
4ed23450c1769a13d8db5f672030ba720178637d

SHA256
0ad8f33f355070c7d1b826bcb139d86750b5e3b980ac65083bef4908e036113d

SHA512
df9ecead499ea89956fc9ca357aa336af109eeea2a7e64dcd912c9452c9bb05ea6a4a16a5cc955e09cc18e4d4677a27f608cdc2c4a3d79bf0cb7575d278abef2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2e9d0ba70bdcf3b8e407f3e232cfaec

SHA1
f9623ce622fb8e7fb5d293d4fb4dfbf3021f03e8

SHA256
a10bf6e3f07d2b230311e7064797f0150d3b45c8813d505b4df67b3ec973cabe

SHA512
c706219d62cb8a536b9109b877e9135b1bd1c762d1f95c1b5b9c826ee8a7abfd82202ff6cfc1a8bd6ddae3568b0122870e6ba1a7891c000d8cbff20cebf8ef73

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f249646cbc8e8a3fc5314191a2018b2

SHA1
df6f303ffef3a774811f202ef68941192f4c0a84

SHA256
791620c8039254ccb47eb22e3db196e991d7b2fc9b87af1d3fdeedf59af57531

SHA512
e2ab682c5eeddaa876a262df76f2baa906ba94b984680ad3b0339912e5c5629b48373e8f3f54f1211e50963acf73927ad769224733fe70a632b2fdaee88e6933

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c2844981fc26cf1468fe382565d05c6

SHA1
b1bd9f22cb89d41850eaadfa506969fb29605a58

SHA256
bd0a2f4b0a3620794001897f024866e76841421c4188c52412c1b4e0dbae6b19

SHA512
0856a12a04b32e40ee3a063d89fba1a0c7292a6807694dc802bd53edcf8758ca773e8e5d72bb397da0015b2b1eb302fe7de3412cc9562c284a888b185f6bd341

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c41555e5bf2390a6b0f4d000475eda90

SHA1
cbb316da875e7a59e8ce788d327d4d5d7b011e64

SHA256
3cd491f272ecc0ccfbbdef0822edde491edb51114cebc612dc8cd2e63ac35e52

SHA512
ba204e30ad4ca245ab68cb91f13f8dfb26185a3ee6f579176880d452a189fb7153a82acfc547f60bd0a9d58c943118c76963a7664cbf2150bf79e1028d782d04

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c884f32ff3b4c5ff15478a8d1d67da9

SHA1
be3c805373927a6d1f9912e9c9103bfbcc0145f7

SHA256
9bc74d80233f210fdbcfd9fbb3b2ef0d8ff1240548247008699ca275c99b19c7

SHA512
30620370fe9d6a701678ab51c47f0d8c222d799eb4f128a2dbf0040aea5a33f7fee06025d8f0a79b3af8b63a8b9816bf37274e4ed4af952b065b2103f880a1d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a548ec1dca1212753d077e4b319fe486

SHA1
f4ec29b931d24649afaa023c26ecef9983b573fb

SHA256
06ec064c5d682b6dc505f88e43657619c03384121bd502e3ae5fa09d5aa707b0

SHA512
1fb6f189e27a37f2bc32cb107a5eccd3a77ae8ff07f9b080fb7bea833684ccd1c1736562374ffbadaef30716acace8fd9c1a2e6372f4fb8443a2e8b3a7a0232f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6d709b8ab7c05ccc3b1a837bb48f6e9

SHA1
a79a0769b3fabfa7cf58c84366c6946cfa9bda47

SHA256
b34b4ca61bc21bc64575afe848e463153cce61cd7fcdb2f0591621442dc31ac6

SHA512
6573ab9c3719bfce41e77b42c2d0c716cb00c3eb99751f4019600735ae33fc78c07460653057cc8f3232cc856eaff0c051c4d858ddfe6e21b1b24b0e8b00a710

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57fa952dce658ddcd007a4e48de798cf

SHA1
10b279441eb74910c77488b303262103e3008563

SHA256
3249c169f0a7f5ebd99d6a8115173f7c1c234870b8d91836b345c1122d663167

SHA512
31952a5ce6721041e8b81cdd0dfc867f12b36f97d4c45f95e29c40659b96aeb268896630a301e174abacf3e8367920afb24bbff1c7f157e7953e3e222afb41ad

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
757690908ab5a34b6822b3a0e51bfad2

SHA1
19a4fdb29855b67547d037cd63e53a0fe49c8d81

SHA256
df7c9ffccb899246db34a5c8b6c6c128582d8970aac4193239ec00943ab2e473

SHA512
5e47a7ad2d1d30082051ef1791224a3d7e1206274308389f78c19a753923dacebf1dd7a1948350138294313cd1af1cc9350f275fa0677179e85b0974746c2f38

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2a1eb49278b679e87955479c28225d5

SHA1
a91f68e705e9d6927f6fc00e56b41c2a03df867b

SHA256
8c1ba5ce3d7d15d9f44f9555af5f209cc7349dfa035b011b913d00dc5b1892b9

SHA512
f71efeb56415973a9b1fe8eec1b25fc3b5d959eac5702985be1d45def6563a700f7c6d0a7f1601656d245dd8b024f20fd814355ba074099a25150eb9f32a622a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcc1aee87a98d4dc04a3546df9e43aba

SHA1
5a840b082db377b7eb74ca7ad4d5f243bb692c79

SHA256
3c3bb998a5a5900ee60f8cf5615f9cb0378a46fe0a960f1d4518393085530f52

SHA512
b324ddd86fd513f26355210ba1f47c65b7ec7effb38fd1b1a99579e7f4c35de205f927f4a85331f5bd7a34f90b6961e7ec6eac184b80e838c1a7257e3cadaad3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b517db47007743b0a07fdf8dbedaa64

SHA1
d4d73d25f5f187b9c02ca96d294ec07e6b8478c5

SHA256
3710bee8442429226dfbe462909964119e4333ee11f22d3180355aadc672f675

SHA512
afd8eb71c557248e127622e8ce89cd35e5ccba2ab915e8e0027907792322633fe7576c80970e36904cbbe4f562129ea95de220e13354be5684895665a394fb20

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e75778c325a084fff3bbcf9de41de5

SHA1
a66815401247353ab5f8f21120c7f6e4920aab98

SHA256
37d4f681c8bee22e877d4accf887878d6f4e42fb04acb509076f9cdf6209e1dc

SHA512
e2da51324e1fb88721273709d32c53396fec3e9298a9beb4035e6f47e8b22ca8ffb3adc7e78d2d60061f94a38d69544becbdf2576537273b1a521fe1022cf14f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7f13ee1969a2f98e68edab4a77db1d62

SHA1
9d8e4676d994e250b21a1aad29a8a7c91cd457c7

SHA256
6ae204d1709fc29bc564a550aa5e1df696764bdf091a057ed38f67b1d1f6c931

SHA512
bb3e37e7125c81e3dc0abc9a85fb3ea49ce1fdbafc0fa8aac19cbbf1602770576ce9528c982e2bec636f5b8fe53a502089dec83a54cf904af672b0fbc0a65723

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabF5E8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarF5EB.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarF739.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwE9F2.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwEA02.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9a0bd046368942204a05aa5fc36038d

SHA1
b19c5ff87e00ca08ce55fb976001fccce662ffba

SHA256
a70eef2cfbe00143758da662bbd37e445f8d33366da7f8cd59d777cb564e1ce3

SHA512
85bab89296efe8f4756810d206c19d8c591004b5fbdd67f63e0500ba05a3bfa8b0f007ebaa81c8a64f2632efdb186faf83ef55d33df5ba867a3c9c162d77c40c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{285285C1-AA5D-11EF-BBB7-C6DA928D33CD}.dat

Filesize
5KB

MD5
165341a3751f07789b9f6fe73e7c2e87

SHA1
e478e6abd6b99e5940926313a9d032a8e41f870a

SHA256
b215486a5421ac64196b4d254105a731ed660db0aac9a1aa5253afd2d2afea01

SHA512
eb99638f8450080ab2ec33e3196364489396cbac4eef5fd5ac792203b3b21266b83e7db47b29efe6f60270db317372ac654fa09e2e19696c93f72f8eb28cace6

Download Submit
memory/352-150-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/352-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/352-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/444-140-0x0000000000560000-0x000000000058E000-memory.dmp

Filesize
184KB

Download
memory/620-47-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2336-0-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2336-39-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2336-43-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2336-1040-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2336-9-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2336-5-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2360-19-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2360-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2360-16-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2792-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-40-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/2792-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download