gh0strat | 1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
Size

328KB
MD5

791174ec65e2f38632b755a3543cfdea
SHA1

5441097974ffe1614d6d14b53290cda1b4ef682b
SHA256

1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da
SHA512

3360cbd5712ffadfb63669e9105c1fa1b75d64c7880f632a30e1d52aa94b20656883e15c9c8130d99f08c84dcaeec71aa1ef698620f16b591ecdb575bbaecd5d
SSDEEP

6144:4eKKtlCCp1fBpzhhh2KNZbBKKKrx90J8GtiU67+arH0:hlBpBBpcKwnON6CarU

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/2808-5-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2808-1-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2808-9-0x0000000000270000-0x000000000029E000-memory.dmp	family_gh0strat
behavioral1/memory/2808-29-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2904-36-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/2904-39-0x00000000005F0000-0x000000000061E000-memory.dmp	family_gh0strat
behavioral1/memory/2904-62-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/2808-1053-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
2828	DesktopLayer.exe
2904	Ysgmkcc.exe
832	YsgmkccSrv.exe
2132	Ysgmkcc.exe
2640	YsgmkccSrv.exe
788	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
2904	Ysgmkcc.exe
2132	Ysgmkcc.exe
2640	YsgmkccSrv.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C92E7961-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CA853F61-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CA853F64-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C92E7961-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CA853F61-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C92E796C-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CA853F61-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C92E7961-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CA853F63-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C92E7963-C6E4-11EF-B4AF-66AD3A2062CD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002c000000016d70-6.dat	upx
behavioral1/memory/2892-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2892-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2892-15-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2828-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2828-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/832-44-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2640-145-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px5744.tmp	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5CA1.tmp	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6567.tmp	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441749007"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C85F61C1-C6E4-11EF-B4AF-66AD3A2062CD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca9c10a8c484f340bbfbcdebe6b07ee600000000020000000000106600000001000020000000b064b987c8e82204cff886c514681fbc6f909f1dfd8230f0e101276f55d2b8fd000000000e80000000020000200000007408726a5138e40ec72d1ebe7cf65b6c1cea25c9458c9a3936425af83cf8afc11000000005b3eadaaf225b8823f5532572a79b7940000000af239ce7e4154398d55314eb0cb0ab5698b12f4009fbd3c49878b68d2fce297211c5933b3c43fa7fa611d83ee75e43cbd1ba255fbdaa5c8bcee5795049cc05ad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0001001e00130020001900390002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca9c10a8c484f340bbfbcdebe6b07ee600000000020000000000106600000001000020000000061d19d00bab7446432ea23c800fe688de412bec020a106ae3186a27ccf35d2a000000000e800000000200002000000042f4c236015d23b2b66d1761b38da436600bf5db4b20f4fb2cf096b66889ac56500000008d4c309c40710d5ffcf5e4e869712921ac2381066edd31802af97be1ff3ff074bd16c67c12b6a773559f21fb5d968435ecdf656a5723b0b5776e5ac47322757984d34abc5beba9ae5a49283d3e72e5dc400000002dc4dc08403af9fcec3b23e6ecf5fa6ef5c5aef0c523e3f0e07c9dd2dbf44ed1fefcfed2f4360141b80aca1c1be8e929a64b182179157ebfb95457bb3cb95508	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070c0001001e001300200017005803	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0001001e00130020001900a00100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070c0001001e00130020001d00d102	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 401f458cf15adb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070c0001001e00130020001d00d102	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 00e2498cf15adb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
2828	DesktopLayer.exe
2828	DesktopLayer.exe
2828	DesktopLayer.exe
2828	DesktopLayer.exe
2904	Ysgmkcc.exe
2904	Ysgmkcc.exe
832	YsgmkccSrv.exe
832	YsgmkccSrv.exe
832	YsgmkccSrv.exe
832	YsgmkccSrv.exe
2132	Ysgmkcc.exe
2132	Ysgmkcc.exe
788	DesktopLayer.exe
788	DesktopLayer.exe
788	DesktopLayer.exe
788	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2908	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1036	iexplore.exe
1916	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2908	iexplore.exe
2908	iexplore.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
1036	iexplore.exe
1036	iexplore.exe
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
1916	iexplore.exe
1916	iexplore.exe
568	IEXPLORE.EXE
568	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
568	IEXPLORE.EXE
568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2892	2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe	30
PID 2808 wrote to memory of 2892	2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe	30
PID 2808 wrote to memory of 2892	2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe	30
PID 2808 wrote to memory of 2892	2808	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe	30
PID 2892 wrote to memory of 2828	2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe	31
PID 2892 wrote to memory of 2828	2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe	31
PID 2892 wrote to memory of 2828	2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe	31
PID 2892 wrote to memory of 2828	2892	1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe	31
PID 2828 wrote to memory of 2908	2828	DesktopLayer.exe	33
PID 2828 wrote to memory of 2908	2828	DesktopLayer.exe	33
PID 2828 wrote to memory of 2908	2828	DesktopLayer.exe	33
PID 2828 wrote to memory of 2908	2828	DesktopLayer.exe	33
PID 2908 wrote to memory of 2668	2908	iexplore.exe	34
PID 2908 wrote to memory of 2668	2908	iexplore.exe	34
PID 2908 wrote to memory of 2668	2908	iexplore.exe	34
PID 2908 wrote to memory of 2668	2908	iexplore.exe	34
PID 2904 wrote to memory of 832	2904	Ysgmkcc.exe	35
PID 2904 wrote to memory of 832	2904	Ysgmkcc.exe	35
PID 2904 wrote to memory of 832	2904	Ysgmkcc.exe	35
PID 2904 wrote to memory of 832	2904	Ysgmkcc.exe	35
PID 832 wrote to memory of 1036	832	YsgmkccSrv.exe	36
PID 832 wrote to memory of 1036	832	YsgmkccSrv.exe	36
PID 832 wrote to memory of 1036	832	YsgmkccSrv.exe	36
PID 832 wrote to memory of 1036	832	YsgmkccSrv.exe	36
PID 1036 wrote to memory of 2004	1036	iexplore.exe	37
PID 1036 wrote to memory of 2004	1036	iexplore.exe	37
PID 1036 wrote to memory of 2004	1036	iexplore.exe	37
PID 1036 wrote to memory of 2996	1036	iexplore.exe	38
PID 1036 wrote to memory of 2996	1036	iexplore.exe	38
PID 1036 wrote to memory of 2996	1036	iexplore.exe	38
PID 1036 wrote to memory of 2996	1036	iexplore.exe	38
PID 2904 wrote to memory of 2132	2904	Ysgmkcc.exe	39
PID 2904 wrote to memory of 2132	2904	Ysgmkcc.exe	39
PID 2904 wrote to memory of 2132	2904	Ysgmkcc.exe	39
PID 2904 wrote to memory of 2132	2904	Ysgmkcc.exe	39
PID 2132 wrote to memory of 2640	2132	Ysgmkcc.exe	40
PID 2132 wrote to memory of 2640	2132	Ysgmkcc.exe	40
PID 2132 wrote to memory of 2640	2132	Ysgmkcc.exe	40
PID 2132 wrote to memory of 2640	2132	Ysgmkcc.exe	40
PID 2640 wrote to memory of 788	2640	YsgmkccSrv.exe	41
PID 2640 wrote to memory of 788	2640	YsgmkccSrv.exe	41
PID 2640 wrote to memory of 788	2640	YsgmkccSrv.exe	41
PID 2640 wrote to memory of 788	2640	YsgmkccSrv.exe	41
PID 788 wrote to memory of 1916	788	DesktopLayer.exe	42
PID 788 wrote to memory of 1916	788	DesktopLayer.exe	42
PID 788 wrote to memory of 1916	788	DesktopLayer.exe	42
PID 788 wrote to memory of 1916	788	DesktopLayer.exe	42
PID 1916 wrote to memory of 568	1916	iexplore.exe	43
PID 1916 wrote to memory of 568	1916	iexplore.exe	43
PID 1916 wrote to memory of 568	1916	iexplore.exe	43
PID 1916 wrote to memory of 568	1916	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe
"C:\Users\Admin\AppData\Local\Temp\1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
  C:\Users\Admin\AppData\Local\Temp\1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2668

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
"C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2004
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2996
- C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
    "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe

Filesize
328KB

MD5
791174ec65e2f38632b755a3543cfdea

SHA1
5441097974ffe1614d6d14b53290cda1b4ef682b

SHA256
1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7da

SHA512
3360cbd5712ffadfb63669e9105c1fa1b75d64c7880f632a30e1d52aa94b20656883e15c9c8130d99f08c84dcaeec71aa1ef698620f16b591ecdb575bbaecd5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16ed0a4a7ea1f87f4681b93556bd5c84

SHA1
fd6059823362ceea91cb947aa9114e525493a8ee

SHA256
9217c383cca445f744d784396cea6d22ca404f9c558603eca1236785e84971d6

SHA512
1a52312442be990fb60283f970c3dcd207d8e827fcc976a9a15c6399ea15344afe82c79fdd78e8b8027cbd173006aa107ef369b3474060f5e0afc4dac7c9a37f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34a69f47a1cd58aa36254cc48fe171c8

SHA1
1fefe6e70621a77521f23ebf4eea16e2617d669e

SHA256
2abe4ed8f0e73cd71c97e4929ec081e104262afb1282265233c6f1af0d84f0b0

SHA512
a2a42bde408c5ca4ccfc5358d213beba4e045de40d78d329e9b22b619caba8d3b3fd73e2853a79773ca3f44bd5412e171b0c1d2c39d1a15f8e13c0ad204dd140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40a112d63dc3b87ca09130f91730096a

SHA1
603f31bd3a035de5dfedac24b3cd41440a31c2f6

SHA256
cbe584f4b25d09fe14c4c4483dac2332b1318648d56a1fb2aa550d66181cfc77

SHA512
e9ef9990cf9356c53600898f30969af3330fe211c268d8edca9877ff0a7e473261ac923b2095e407394d87269a26d13760ae42c791ffd3a7a89d60bc1f494a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2228204d22504954cd4ad5ffe470c537

SHA1
38ba059e04cc4e8ca2ea67c7c2474307d44b89ab

SHA256
7d2ae878f85017da584ae2fdd777fa7da7d860bd4a9403869aa85e71ba5c6f01

SHA512
0004dd898366b25b7ddb970246f811ecebeb4e7436a36bad3f85f4336902ec6ae9c2eb086fd2da4f2e582e299da1c0e7ecff9138c394a915f5ce819324829946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034fe8ee625a84f4ca533cc49dc50e6f

SHA1
003aef3dde24836f619754f900682fe547823a2c

SHA256
f4fd6d219c7fd11f4aa2024e3d64f4771b7029570ee7e65be0068f21a24ac6c4

SHA512
b1cc3ccd91762fe55f210b87b326dc4b1dc2377422a4ca2a28ff87083af7240c992b23689eae30c7a27d5d3198b3de01fc124e082589980719bb3660efacd993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2839618d7f6b5cc67502dd33c356b6a8

SHA1
c9e762f72776df513b6a0cfa7e5a864c5506d968

SHA256
b4b83f5a07f9c9c31a3db235c7eab848412938997c6d872b08a6613dad943e9e

SHA512
dbcec464dcc7452fbec1262c9dada35ae5ef55529277eecb6218336f183c6675e06985c30df4db775beba263add9c129b396461697bb44eb2c4da502c9b8e0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9af8cb0dda4f79770485acda524c499a

SHA1
3c6c07ee12804a7d9038e9020c5c2cfecf29aa59

SHA256
bafe26d2fa4e5fc120ed033eafdd35cb96498732fb6c9f8eb08d20a556acb556

SHA512
28c6c3f9d065a849b8f0a87ed9f5a5a215c06142f1d6889fb131acb3230d8066e902592781b1b77e6016d62436374ad1b89ddf65097b9a7c8849a42be7f4c77f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0a129dd88165b76966e4b19fc91a84b

SHA1
515493b160c17f7c1d000312a4a8d70c51715264

SHA256
38f6322ded7f5b025fcfa8c1b368a68177419aa006dde95dd6f303b1eacf4edf

SHA512
749384e214f3ffb2a5981c550689802a2465514c1d6c4680105de9f6a50484369078aade9d135fc30fa57db9576602e25d5e688ad607019ae6887cd1bb559e12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c6f2467d7f84aa7480648f1816fa342

SHA1
524695df529750593197f75525d714ba15d6b510

SHA256
e2feab18c7bd77571e017a5b4780d5caae0ba892141a1fda928fd5941eb8f64f

SHA512
c1f53c8e74b56647470ac24adfe000f5e1cf583c8558ef47bde928e37f91e9292bd913276cc763b7a1bff2f59036f4452d2af7ce3a28c3309e4d284d9f3f07da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04cea49987ac3a80cb7418b0a5ad9a3b

SHA1
bb38b320b4ff0236a4fac19abe147af3cc9c40b9

SHA256
61b065f7dcc35ac4b2f561ac81933da41f88a5b57ed61925582bf3b076938a5b

SHA512
04b66a658206070aa630f5ab49eabcd1c64dd54d7216e719a3faff0786b0a6f78d7edba63340bb23755e2c2acd2ddb3593212e8d571246543da5e46c920e8eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d3f45b933127d0545d1488fa2e0f77e

SHA1
f81e3ceb85a8f154eb02cedee5457e9699631a86

SHA256
3b474b6bdc8c4935ed3de997b37252be9421663505adcb39e41294670879841a

SHA512
1858ecd4a6f51ed023f94282a04af6b2c4bca65544ddd2eea9050df0a9d360f7e6b10c97395ec075b7b0a7fad428a59990b059dfa3675a583bd098efc3956e92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ac3cc4a1f4b2cd913b9d34332143a3c

SHA1
cd97ef2cf575622c07ec2a53fe488f7b984000fe

SHA256
b7fa773deb9e9a98af7f8a69fe3dfbc73f7711e7fc4c4757cecc378ff05e8728

SHA512
183e553b4f4c9c247dc382d9e2f68ede92e9876b738209fe813bcda90d75ffb37776db4d2f28f277097d2e077dde49c4f23648ee57f2c2fecfe857537f30f23f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a354894e1c62bd2a2f2899e76faa22c

SHA1
76a7f9c231d925c6b5540b6cb0ae7af6d9160a67

SHA256
b01c4c5d6a85c6fdec8e2fd3bba55c4659e7b32685ca1f73a4d053079fecfc78

SHA512
ca753d3fc920112cc9a9de88d3155022c5d2603b38b104be769e230573d47fecee6cda5632da4fd08de5513297af1d75126c5d550788bfc03cf81a2ca9465599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7928c2809211448ef4d32526f30b67ef

SHA1
336aae516db0a747829133e8796cada26830979d

SHA256
b98a69e91ef14ca1faf2e35a50ee7721e813a2eec8e36b4c60b99860fdb1cf75

SHA512
b20b78a82387808078ff668ec807107a20e5285186d67678fee73dc7dc39b4f674156e8784b78f817f0436be40be40c843b1cdd15d48210ee2093d5cdaec1732

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8e56726977ebef99cbc3540b0e0de98

SHA1
967873019fae12498d1b62a3a09f4eeb067722d0

SHA256
e5e3cf8c11f5a2af8b1d4a8f7e63cde26b57043c217c22a6249125c079936a12

SHA512
1d53b149e620e6513a4e01498970df836577790ee2acd498113912788aeea85fe07ad068185cf6eba930c16cff6a64b788c729344c6ce67b0850bc86519d181a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
311d6f63ac3dadb5f879a9d9ac3f9384

SHA1
19e07342f637b88b638d1553a9d94079555d26c7

SHA256
f152decb091196fac7afe1474dae57ff63f3692f80e4fc160919599aeb42d5ce

SHA512
f0616f77c37404cfc0029b2ef0126fcf3f366cfe9f54498ad9893337219e8d41ce79b8071db7cb9ba7c2b8f7b60cd540aa0bbc16d23d39b7b4ed962716ff1aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
443eaf5d87e628aeddab758e09bc4831

SHA1
3c68fb7ae52350ce6014f2afbca66e4d972752cd

SHA256
ec63f201a4dc941f1180d7083d4cda3a4fb4f9f32fd4f7284b2bd16b9918ed04

SHA512
b815a68b4a65c48e5d5ad269befa96fb2f6e6025d92bf4455e5f5a1b7f6ac66128f3cd00af89d7b160e031919229ca19fc29acae36e5c34520ce7a4cc84ba9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01dba14030462f5d0af09a829b4283fe

SHA1
4b89936425cca39b465184e810f1b7d75579c136

SHA256
e1234f414fc80bf3adc8f8c70358239f06db5573455889b3a943830fabaafefa

SHA512
b2144824c57246cf77b2e0863949e6daccf939c49bf07a4102639ff9d1adf6c39a6c71b96e4db4b2a953854992aa612408b8f297230d6ad002777d7357a6f2d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7327bb7b8986243566e6ac4949ea49eb

SHA1
457adca81fba07673daf2c8f1d2c4f1104178b1e

SHA256
5415129be4df61eef60a6587dcfafb5edb70c542b6e0959e4a88cc18e301e715

SHA512
159b632559b0f61c924e449855bd4bfb3114cb57d92328217ef65077c6c649572ec3efa538dd7c3a87e1a7fd55c672f412b5441772c862a5a90d1750e63a253d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EFB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6FBA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
467bdd286aa01cf705044afbb56d1db7

SHA1
816202b0bbd1a9f485e0976ac445ded9fa2fe6d7

SHA256
95ac1fb2813530c5695b93dde1797b7f8f082823e05cedf3fffd6c594d655d27

SHA512
2532f263d1d897ba6e212b9daee8ba4740606f1b562a0945e7b67b67813635cc2ed701a23492a55c8bf42b8cabff51be6c75b31ed95d0b4ba0a2990e179c053a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
660acb529a7a9257d007d8b0bdc7cf9b

SHA1
b84dc870acb5e14567043623ec816d17017e5f92

SHA256
e7576b1b359ac293185cb61ee0655bd586724600258a2845aecd7d761d3abc52

SHA512
e031c0df24c44ab17dea269258f9b10378af1a4a584c93f24a85bfc23fd13cf5e3329d61a29a1024b780252e088e2e0d73f2d7a55ba12873864b70a43b8e0554

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c770afed4f193ab5df9ee586d34b17e

SHA1
4372b463daea7f3f23b690196a6afab15a59681c

SHA256
eba1596589bc29111901a3f4baac2141dc21dbc74de341c5f3c7bc77b4b085b9

SHA512
28b801bb0355ac88b2c08cab4585065ff8f3ed566a860528a5ae397c23b643891aa32efc27a528a7dd56cb3071fe89166bc6423615ee22c2c64a33fca9e815be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d928a35caa346f5df1f5b7601568d4e1

SHA1
ff90a21c9aef20bf9c0ac4e75153f9f3fbe1a9b6

SHA256
72c96ca44a742cb7fe65a2904533e3c30ba2adf74fac49379942805f0e2a267d

SHA512
77f0211ada5d6b5447d06b6ef77932907809c8ddb0cfaa205726db20a9f0c21016c1930b1e48de13f7c12f8cbf9004ba1bfdf357a121970a8bfbc4b6c133e0eb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db7eae3f60b7cc34732fce6f1da5bc9a

SHA1
f053426227e7bd5c464f9ef795fdcbadba2be6ac

SHA256
2aa3f159ee0f810822637df270370c8600f61a297fd52279aa5553cb894f789b

SHA512
608c5d4f96f63ff6b24a40b90903b27d12b4f0f07294b3c15d0f8e7c359d06a1a7e3621e3c99cf2055d1b3918e5a8cf97804b98ef2d43872bc0990f5d79d134b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c53709d2d2b7c636938765ae639e533f

SHA1
43b6db0e79bb521b6a9052b006a88b209ebb82d4

SHA256
e61418d66ab68c068df83efd874bff761e2c3a9f399de0f57535942954456e04

SHA512
d30d1fe874321de9e5f5643c29e00a8e3e2dbf08595c38d4e4aed974808ccdcaf59ffc72c267bd6596ff151213cbe02f425810687df00e770097edd6a5795bac

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67be175eb0fb49e84e00bb5687cc9ccf

SHA1
97b85be97ad531c7c0d50cac798c7a0874447f3a

SHA256
69417fbfe76ee73a92aa38ba07d5a25e2ee7805377820d3f952e0ff8635aca43

SHA512
57e7fd554b853f7c09b1c84434414cf1fe4492cc13ffc67d57cf98641f52abf49df9342e50a4c9baf03a8abf1f200d596cff55e77a9db692d45e0b338e45465a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
227b04cc6d3871ea6b1f581a2c232c14

SHA1
ff5169b48926c8b89240bbd13c427965a1da6fb3

SHA256
f08e15ea5450630df6bdc1075433d63f4cf12dfc8646cd0b90f791efb0f11e06

SHA512
eb6205834d537f48f7e1aa736956b5492a931f64ad360dd6ea885c01e01122d7bbaca36efa235a313015df2711d6efd7defdeedde1cfd899343c00c94ff7ac44

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8bf85692ae1dfde3cc7d7b322116734

SHA1
e8ac982742f03f707bbb486290c986f8c293df7e

SHA256
8868d670dc658cf70d0db5452b52056d2044714b2629bea831cc7c8ddab23ba6

SHA512
ea6eb86dc306d81f777c6009f1d4946b597df84a0f5041acbe2fab007d988f178c0aacc826d3c0e06a65b3201bf8d9d2e8e07c0dd39c2f094d661991d75fc0d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c4ac395907ad275016925a5818227ea

SHA1
d1a8a702fc30631b0dc31bea89a7c5f10645b769

SHA256
b064999129c1f8c8e8530f566fed127fc544acf6f343220c952f0d74f584418e

SHA512
59b327968f43e2806a55151265b7498df6974b345c5508b6930bf5282db75f2b7af104aac49f68e8dfda028c877b49829cf83dc618914572eb73645706db42f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d137624a542170f2f260fa3ef02907

SHA1
8807e20c19e829b5f94e5697e8d0918d446699ea

SHA256
11336ece32c3db9363a7356222fbef82e5a4094bd497a949f2189ca64390ef5c

SHA512
44167009a9e43fde644ac178a0230af2b45826533bae5528e16b027afe49a2126240a22fd326e3c7181e4a4d0be9d25dc8c88a48e2e863264032bc324ea4c2c1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6e641616374283f74b54cff9307cf2a

SHA1
68312b809c50377c1deb496d7efdb7ec48a5b148

SHA256
55a0f3912b4643307e161b6561d40d707cad49d017ba7e229b72cc1383ebbe71

SHA512
44a57c5bcac7438116966bac2a3e919d9285aa66f722b059c9c3f7b06aa5fa1d4a6697ddb316f0d9aafbc96f60495a23df06dafb44b576499ea5502a006b5d2f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4b8bae64162739773bb4617fb3d8c26

SHA1
92e61011a273490ebbf7d41ec932a64655350a8a

SHA256
79af15c0e4c4d4b9caaa842480f74c27eba9422eb503f47771e579233d4e6f78

SHA512
b54952b7a7198f60d0d68ffec36c1d22603f10854741f0a87b7c8dfd2cc8adee6e374c17926ed8e0c26f3dde2913a09a217f7217ae049164651325348382ce58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50c9b6d8413d07456063cf88c47a0075

SHA1
b9f275d854491fb9cce428c3e09ec04e348f1a50

SHA256
0df3e33074582ea3959bca6c805d72746995c2accb19be27697fc08433d3fbf3

SHA512
ab269e50fc23e898ffc5fddb54ba1f0c543a868897aeeacf9fbcf2006595cabf2a40bd6fecde168a978ee68a50117380333eed98938904a7fb4e0f06174c0ecb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca7dbcaf464c0625c44ecdbe1d7ab75

SHA1
98351f9e2f83983249372a7da6ee3c8aadeda6c1

SHA256
f08786e9525c8ddf4511b8e3f82bc52ca249b2ad613aaf08c9bd824ae17538d4

SHA512
3f393bc6b087ecae476d478995d312ed1fa431372e6605f9e73bcdd5741f52da04784b3981689c60f7525cdbb1368e74867ccae3c2e02625c1394cbe9a898728

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d362e74f704afea53eaa32f59baaf99a

SHA1
0ccf70d68f13f137f8548f064107195293b06064

SHA256
19eff6056587fe40a4014a377b315636954aa3b0412973e50e8baf1987ef4a0a

SHA512
c8b021f7e8d4854aac706e255dd82d6f41df2f32f889302d3121ec7e160e7c5507084a42493361819136d72eec484962d3ca031ee679f1b0d32a6e144770c6ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
818c1af7fffd75c9bba25e6bc3aedeab

SHA1
a06d149aa6f4a74cad8e315de84e53916ee78a14

SHA256
cc466099376cc871242656f8f2b5e74b6a975c6f510ba9197ff329864ce9dcb6

SHA512
5498f422460f6fe3c3fc8d9e56f3403ee0418a1b6327b79d9cd18f82151b4171557903a4dfd3658c389dde588a7c6f053e5a1adb2183c1ae40995392106a45d4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbc9cf1ee3b8867c6b36892da83bd4e3

SHA1
35ccd6d07af26d467f9440aed4d29df0269e86ae

SHA256
dc818830bb5baa24e2d648b706232569030f39100c9da44bf4e32695d5fa559a

SHA512
d52bdbe4831f32bb4eac14b9ec5c221185ab360bab8b72c183fd97d5a282f0ea334435b72f259b4de33eea3221ba5b9a426e1f88a442094d4a2f4b98b7eb98e0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84517781d0693da41fa2507111b52545

SHA1
8721f7b07e53fc9a4824275c63d1a1f338305b13

SHA256
c9f9e6b0a8451546b40f12267461df1b1e8e9301a36903a4e4c581593766d0aa

SHA512
aa9311a27c638fd1db342f0d7d3e5b6f40fadb5942750e09dca8d9488be8233a9f28d3a7dace7dcd28845f1f256ad997775ff961cee6a5877ad739bbfbb99437

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
58d66f1dd2f802adf11c2e50e7dfc969

SHA1
b794dc08bfa5eb2d7d9a98dd6d1bba11adbedac8

SHA256
e506fcaccbd8eedc1ea641f69d2d145987e88b9a282e972609fd468eb8d19778

SHA512
1a87b2f96dd3c588f21061207fbc84f805642fb2aa81b265e96049a7cc89473de98423d763e452dc5f736d80c3b2a2273c547423f03ddc785f59b0ec918bdcd3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab6ED1.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar6ED0.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\www629A.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www629B.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C92E7961-C6E4-11EF-B4AF-66AD3A2062CD}.dat

Filesize
5KB

MD5
3456eafd8c22cca109498ae6d61eb131

SHA1
1d2bad73ca714aa5a84765b46ce0d4e3e1f54cbb

SHA256
1f5c6fb5ef14ad159fb9a4f0db8078faaab7d9d46429f25afbfa4ce649f29976

SHA512
efb9f0da73e07e1c0c45258b2d49a304f5ab310dfd4bcee08fdd21477aa94de7135af605cfd7ee1bab8b044952e0b4349b9958ae8fa0efe4ceb64b0abea275b3

Download Submit
\Users\Admin\AppData\Local\Temp\1950c34174ef5585c0011fe52569447c75b5c22fb4cef5594d17687899eca7daSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/832-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2640-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-1053-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2808-5-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2808-1-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2808-9-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2808-35-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2808-29-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/2828-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2828-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2828-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2892-15-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2892-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2892-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2904-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-39-0x00000000005F0000-0x000000000061E000-memory.dmp

Filesize
184KB

Download
memory/2904-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download