gh0strat | a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
Size

328KB
MD5

547b878574ddb23538a8d3409ce702b0
SHA1

ede7adac69f17ed846624c8942e5bdf5a737b164
SHA256

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78
SHA512

966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90
SSDEEP

6144:4eKKtlCCp1fBpzhhh2KNZbBKKKrx90J8GtiU67+arHM:hlBpBBpcKwnON6Cars

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/3012-5-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/3012-1-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2596-36-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/3012-35-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2596-86-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/936-138-0x0000000000270000-0x000000000029E000-memory.dmp	family_gh0strat
behavioral1/memory/3012-1145-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
2172	DesktopLayer.exe
2596	Ysgmkcc.exe
2092	YsgmkccSrv.exe
936	Ysgmkcc.exe
900	YsgmkccSrv.exe
1776	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
2596	Ysgmkcc.exe
936	Ysgmkcc.exe
900	YsgmkccSrv.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A22CC203-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A0DD202C-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A22CC201-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A22CC201-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0DD2021-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0DD2021-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A22CC201-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A22CC204-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0DD2021-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A0DD2023-C72E-11EF-A276-7E6174361434}.dat	iexplore.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001225c-6.dat	upx
behavioral1/memory/3012-8-0x00000000002E0000-0x000000000030E000-memory.dmp	upx
behavioral1/memory/2192-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2172-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2172-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2172-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2092-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2092-46-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/936-138-0x0000000000270000-0x000000000029E000-memory.dmp	upx
behavioral1/memory/1776-148-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9618.tmp	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA515.tmp	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9C8D.tmp	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441780722"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FEF16A1-C72E-11EF-A276-7E6174361434} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecision = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070c0002001f00040014003800bf03	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0002001f00040015000200360100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecisionReason = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0DD2021-C72E-11EF-A276-7E6174361434} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-86-e9-9c-c5-4e\WpadDecision = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0002001f00040015000300730102000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441780727"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
2172	DesktopLayer.exe
2172	DesktopLayer.exe
2172	DesktopLayer.exe
2172	DesktopLayer.exe
2596	Ysgmkcc.exe
2596	Ysgmkcc.exe
2092	YsgmkccSrv.exe
2092	YsgmkccSrv.exe
2092	YsgmkccSrv.exe
2092	YsgmkccSrv.exe
936	Ysgmkcc.exe
936	Ysgmkcc.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe
1776	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3068	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
320	iexplore.exe
2440	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3068	iexplore.exe
3068	iexplore.exe
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
320	iexplore.exe
320	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2192	3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe	30
PID 3012 wrote to memory of 2192	3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe	30
PID 3012 wrote to memory of 2192	3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe	30
PID 3012 wrote to memory of 2192	3012	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe	30
PID 2192 wrote to memory of 2172	2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe	31
PID 2192 wrote to memory of 2172	2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe	31
PID 2192 wrote to memory of 2172	2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe	31
PID 2192 wrote to memory of 2172	2192	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe	31
PID 2172 wrote to memory of 3068	2172	DesktopLayer.exe	32
PID 2172 wrote to memory of 3068	2172	DesktopLayer.exe	32
PID 2172 wrote to memory of 3068	2172	DesktopLayer.exe	32
PID 2172 wrote to memory of 3068	2172	DesktopLayer.exe	32
PID 3068 wrote to memory of 2252	3068	iexplore.exe	34
PID 3068 wrote to memory of 2252	3068	iexplore.exe	34
PID 3068 wrote to memory of 2252	3068	iexplore.exe	34
PID 3068 wrote to memory of 2252	3068	iexplore.exe	34
PID 2596 wrote to memory of 2092	2596	Ysgmkcc.exe	35
PID 2596 wrote to memory of 2092	2596	Ysgmkcc.exe	35
PID 2596 wrote to memory of 2092	2596	Ysgmkcc.exe	35
PID 2596 wrote to memory of 2092	2596	Ysgmkcc.exe	35
PID 2092 wrote to memory of 320	2092	YsgmkccSrv.exe	36
PID 2092 wrote to memory of 320	2092	YsgmkccSrv.exe	36
PID 2092 wrote to memory of 320	2092	YsgmkccSrv.exe	36
PID 2092 wrote to memory of 320	2092	YsgmkccSrv.exe	36
PID 320 wrote to memory of 2328	320	iexplore.exe	37
PID 320 wrote to memory of 2328	320	iexplore.exe	37
PID 320 wrote to memory of 2328	320	iexplore.exe	37
PID 320 wrote to memory of 2412	320	iexplore.exe	38
PID 320 wrote to memory of 2412	320	iexplore.exe	38
PID 320 wrote to memory of 2412	320	iexplore.exe	38
PID 320 wrote to memory of 2412	320	iexplore.exe	38
PID 2596 wrote to memory of 936	2596	Ysgmkcc.exe	39
PID 2596 wrote to memory of 936	2596	Ysgmkcc.exe	39
PID 2596 wrote to memory of 936	2596	Ysgmkcc.exe	39
PID 2596 wrote to memory of 936	2596	Ysgmkcc.exe	39
PID 936 wrote to memory of 900	936	Ysgmkcc.exe	40
PID 936 wrote to memory of 900	936	Ysgmkcc.exe	40
PID 936 wrote to memory of 900	936	Ysgmkcc.exe	40
PID 936 wrote to memory of 900	936	Ysgmkcc.exe	40
PID 900 wrote to memory of 1776	900	YsgmkccSrv.exe	41
PID 900 wrote to memory of 1776	900	YsgmkccSrv.exe	41
PID 900 wrote to memory of 1776	900	YsgmkccSrv.exe	41
PID 900 wrote to memory of 1776	900	YsgmkccSrv.exe	41
PID 1776 wrote to memory of 2440	1776	DesktopLayer.exe	42
PID 1776 wrote to memory of 2440	1776	DesktopLayer.exe	42
PID 1776 wrote to memory of 2440	1776	DesktopLayer.exe	42
PID 1776 wrote to memory of 2440	1776	DesktopLayer.exe	42
PID 2440 wrote to memory of 2100	2440	iexplore.exe	43
PID 2440 wrote to memory of 2100	2440	iexplore.exe	43
PID 2440 wrote to memory of 2100	2440	iexplore.exe	43
PID 2440 wrote to memory of 2100	2440	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe
"C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
  C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2252

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
"C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2328
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2412
- C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
    "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe

Filesize
328KB

MD5
547b878574ddb23538a8d3409ce702b0

SHA1
ede7adac69f17ed846624c8942e5bdf5a737b164

SHA256
a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

SHA512
966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b251b33dec2c52872839d80bd811ae8

SHA1
d55551e43ab435aad0ef5d9e6bc627f42aaa7d4c

SHA256
3bd4fa892ac1e44ba350c0a4fd3476ee4e097ad028711ae219d8e24a504eb409

SHA512
8f2e0770912af3592f068d6c8dd0c7cb5f66b121db36f320187663aa004f9b7ccd3edd6d7acbe7d58ee25aab80a466ac46d07f477db3b7369846d7e92b34639f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05c801168f8e5cde64ac8d6f1f9b84ee

SHA1
ded179c473c96350b9778e63324632f93a7b5aeb

SHA256
9bd8a09363c60b89fb5458319bfce5d8e4f85b9003959846346edaf7cc0d016e

SHA512
c6d8a2579741a3666ccb52d607b31b29a438d57761cb39136b9d830461b4ab924a39fce9a6d29e454a848440dae4cb8e0ce21a929b49eb7219689f270c372ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5327e4018d3d5ebdbb8b272b5b09a71

SHA1
1b5040a2f0f540eadb14d4e861ce7ed4c1ca9854

SHA256
e8e541c085594733cd26f6efe09b9531cff86e8299010b8b3642ae8e41bcda15

SHA512
33d606f486f6944e89b85c92938ffbb49513a1f4af72b71f4702c049873271e5088f99fbdea6f075ba76638901f9f14db93781fb257364733e170acd624b28c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a56743ab41209eb1d3cfc5bee240b6ed

SHA1
785b3c24a5adda062d4f5209b1d0daf4aa9ffa84

SHA256
2d366857afdf64d435c2311cfa23728dcdd1ba60a9c9490fedf8bae4a3fa792d

SHA512
62148411900331a2142871ada94c0711c871fcb8bb823e41e2bf9f6a69cd6cf49eeaa36750ba606196c169cc17c82b8604c44e9aa71984bd7ea0b5baab81a6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1942f59091177f88e24d45e828e3996

SHA1
2295aadd48649ca74c9cefe85937262cdfe21ed6

SHA256
7834996b8b3e1bde400d1f808d35a0b506f8f9dd3f9ce49430a55d6b108c3471

SHA512
27dbf194a517821326879ea95f449f2351fc3ca07593016a039e1fa5bb70f16f57b51ede90093d0c1c7ab95e9ed134810e5f0493f5cb311590cec2105676e49e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d83fbbc4580250282cb2fba6581a79e

SHA1
6cccefcdf4f4981980e074361a786c80bd53a8ee

SHA256
79ccd486b63408568d6651d7b11d79a50c544234587bb9f4b8a826790d5884f9

SHA512
7b0b2a5ccd3422b1e864336dfcd2bb714e9a48a1368347bce2fffc1f7d853717c446e8142520e58e0f8f3eed69f6a7aff247096d11893a4888cfaebee1ec0528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86198e6780376bdc7a35b52487374a59

SHA1
2fe3f57cd42f2f1dec4c4003fa045d9929dcd10e

SHA256
b71b353273d2640bce867276e28c40f7a14f893cec1da763c71cfe0a4a411a21

SHA512
a365c89e4b5818b16afb2439bd259d0606000666d7bc839e58b5f9fad874ea5e0d37c2d36e2a9e04b6eda8622a3728f55703ba5a7035f0e74e4355643b54033d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be8b31f2d744795a20e450eaae8054c7

SHA1
96b07973d49cc90ca86907e7d738824ed12631fa

SHA256
826a2629d50fad5e14be15dec53f1985cdcbb44733c6446bce735daa8d3ca642

SHA512
a0ec71d75160aa59d351bf67d47f74067097662963311119d33123dfd89edf5bfc95e4dbcbd1f1ee815f6ed82ea26802bcbef8b6d33b6de262787bc4be67a7a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17ffaddbad10ce6913e0248d50b56ea7

SHA1
5c41f36ed5a33d04789e2d1efd12dd45adaf4387

SHA256
92745b6e06e5708d888b33c1e6eea21bd0107fd3143e80875dc85182b07f44a0

SHA512
97e54c37b78070593ff02f3ca49add2d1331634c109bb1eea5e1f13cffa4e2ed578fd3da6d86e2995a28068174ab867facbdd26cada26bf1a1f40ad17b4eb1b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02faf76513abc0e07dc1460310df8403

SHA1
d136e489651401f84b285f7915c195d7073bef29

SHA256
d12f1e9c07c8111927cda7086460d67a09b5e11343d90610a061458277713af3

SHA512
53f0b63e61a7ad6fe9c1321160d854a0731af163ce553388d72cb6342d64f92f19516327c0a49820a768efa5cf4ad2b25a0f22f1e6a5691d8c23e8e54d06e1c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46896ffe3962961f5968d378ce606e5

SHA1
7e743b5c8cf1feb631b994af26ed709e31b5f7bc

SHA256
c0b1ff1c8d88deac88a94d9fd98da66f75bd86d4c9e15da78e216bb6c46fe3b9

SHA512
836ef9a6e5d4efc1d0f5b2687d5e116dda4e6cfdca473469bc72961620d8ba6180f2cfe99829a89fa1b94c2766ab449000a3e8285df32948f40bef5274d78abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbbfd6d8eacf44f9381e306608833c77

SHA1
2e8fb5058ab042d02418cdd79fc7c3f936dbdcfe

SHA256
4df2cc799a0be5bef0a1fc683100965e5241611c01db232d3d86e53d8639001a

SHA512
075276d259e62edafea08ca92ce0927f1c799b71b525e12d83e44d5fdc8fbb632df0f12288727a1a60da21e4bab76b8d58e5fc5005f6ba2516dc7fa65d10087a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25fa37bb358c06b96825b43a57d9959e

SHA1
841dfaaaf59c31effbd2ec0744e373ca89122f68

SHA256
da1a8ff1b3a812d20864d67c04544f8b4de4d206924c2ad123277ab73fbff408

SHA512
d2ae7b14320166705a3551242eb78a94f889f1d7cd67fff64efc06f236151b97974158876ba971ac4c381da035cc8219e1d97c1d7cd67e8bbe2c50835134a77b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1004132f11fb6a2c4d3c501a3075b8b8

SHA1
ce88c29eb96fe998f9f6ec722ca5c2b979b59e9a

SHA256
da13932ad62bb927507564e25028d8e67a27b59f96b33c01564f268a5e8757c0

SHA512
fac4bc83127ad854e356093cb58281285e22925bb8e09dd31de65234faa03247d2b598690363029ca22da8adbd15ffbc4fabcdd5565989a4e129af6c5f35eaa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e53032bf340db4f7459812bdb694d645

SHA1
304ad7286fffd77ca1b9aaa079a2cf2e60e96280

SHA256
7f2a4d11cdf1fac7963813edf4ebc1572b3ead945ffaf6b7432bee111dfacc76

SHA512
8fd120eaca9ec15672b685d1ff82a3c62503cf83fcf74a9beb7e37ecb7cc6fe69df5d0bcd601321941f1f408a1203ab43f9b74f4f9e4393522b2761f3165c19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf7f77266b327d77ddd94835f39f463

SHA1
3f77e674f6973c4c6f8926f6dd5d3ab6be7010d6

SHA256
d9873f42bf3b45222b25b4e359192605a1b0bb1ce5e3500b7956262a1b88e60e

SHA512
00e9e1afa80076261d419783aa07121639f02c2665de4a338767b3af7a78f553c224a1c00152df6621f9913a70746287b3615bfcc2b7e16b173a1b57857c55f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70cee0f4c4d71e079ffc7d0fb5a30bd6

SHA1
ef0f7f5a04d891bf7c8d2eb2ecf932d9f7cac8a1

SHA256
61a9795efa5b0d4c92e5ad27d7bba948528e6d65a363b8746bfa3c391c3e362d

SHA512
2f755f0ff73e090711f0794d5c34e68ade594154840f4b41d46718686f64ecb0a922e6951c774392dc4a969999f51fb25085cf6c4b774834fce8b2ddfffe46bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca8423264cd7d9f5dd5ee08957a4a47b

SHA1
8ed771914e291e8fe728389d14e8d3177a5a55ae

SHA256
c64724ec3625319204dd482ea184f3883b377503479e90dbd83c1b267c42b040

SHA512
603effe5c16d6393fd165db7bad3be6478de67aec21643ace67d112ff2e484f45a8f6a669535d5292ecfa57b1709aa478d76d57a389bd66b0ae43af94d7df76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAEB7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAEBA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
40ec1e24c7b118094ce7886f9b9de2b1

SHA1
d59ba67c1028eeee18b96546378cbeb9fb051c8d

SHA256
0d6d4f2b000384fe0a65ce44083681df4f65fa4f9f5cb70041a89e2971718f9e

SHA512
7dcb2627ead62fd9428b6e035f9f3f84140c9e8c2b2a866def39482d263b2e10f0d3ce6afc8b67b917c47a82dd7b7f8aa6d238d619cd7e3d92d60005a6285d55

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
746cbf427ddead44050fbf71b34f5fef

SHA1
340c172aa449721f3e5c4a99379e57454e157032

SHA256
ab43abd0c803f5f8218f0398792fcb6b42263760bae9aadb5c6575b9a3714391

SHA512
51fa62dd60ebfffb3b9827cce126b322096ad70a0179b37f2d372630851fa6d71c087ff43c44fc35a1102f8be6b5caa0562e797b3030e98c14898aeccec9ffa0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79fb01a63b91e284fdb74aa95fd29adb

SHA1
2b66bd00be82f811e950b26db0f61478c7a838d2

SHA256
2782d4fbc3a51d71d30ce0479320fab58e5d82406b689962181b1dd046ef8c96

SHA512
8c0bbc3ca06098fa7747808edce422c01e805f746ea2f0bca053e7657779a776a1e4ec070c1959ff0334a08b151ee5608cf797ca75ee229c0ca26bc775fae19a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5389d7e6e3af993cbff25f6d06bf0b0

SHA1
44de4365a9d236e681aa5ad6ae5bad9434fee02b

SHA256
bc5c7a2c9f3b9f598021de3816a0a6db2ed7a2169b7189dfc26d9997cd24678b

SHA512
65fff808c9afcec3b451eac9ae01878cf9db804717acbaf60a9d5141530be3077ee33057c65d973d782a2d8342a7c4e9a895f1f3daaaf72b9478f860df13a952

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d435ebe2ef809db9d8d04461b71b2472

SHA1
cacd69bee79e85770a0465d9dd9a98fe43d235ec

SHA256
0005a35052e04074f3e52b794d8b20cfc4ddd7e94435fd7934a44dc93b10f455

SHA512
9bf49ccaa2d591e96a88c1fa95224a5bc26fb8b9cf7042367e21868a7ef8a964f543bb3e99c743cfd3b6d4f292e6699de4f1fd8111e3739f0483b8913ac92814

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2694c47d75b321cfa5fec9694cd29963

SHA1
9edbf869fe01ecbd2b13e4430e3a7e6e5aabc6c9

SHA256
7b592d38a1ae9f986bff829fc0c8bd91df1cd2956656cee3721fb7f5f7d83dd0

SHA512
1e3c7fdab84814251478239a38389d7d28efedd61a0af056610dd51be9ea9d19ee8330e51bd6cb0f4da39d0324c0f0b377ffd91e75bcdb0c2f0b8c2197248002

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5748377193056acd25a52f373a15ab52

SHA1
d443d034eb6e664a1a8db4def4f77ab165b130a2

SHA256
c8db9dd8c798cc30cc81765e5436e81e1c00a6a7cbdceb696cc758223fb07458

SHA512
c44106e7938b0357e0802805d940b96714b1133b2030292f1399a866b7c9ca43186c703d98cb442bf9266e984b0e7d20b9574e60237dc0954fbc86b075fa345c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9296aba0216e490693a8133f55c58093

SHA1
f2c1a63e35e519f30b26d3e8469f0c96e50e666a

SHA256
edc160c885deb9e4c4c667b244f9aa2f9a954f22a1bb937388e7e158a161a25b

SHA512
41116b3acc8872a4cb3c6fba901237fe950b2a94095e4b52f64e383834be734c6bdce374793454fa8ee4fb3a966bfd6489a0d83f2fd4e9277b6310b79f0eb003

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed8ab04ebd94c6ba9f1acd3aa5f2e19

SHA1
e27c2dc20da3313523634e92a98cfc1d2287ad7a

SHA256
684ac6523577fbf1d0a677dfec580686cd1429b3e130f0ac8607e9b11fe7c6bf

SHA512
8184cecbf0efcc9b53d7e1523a5954db62739b80a39e3e37be33fe5e01f239ff550fad0ed820ca8204accba1912429bce9cf4e7188d448545d10fcbc8641824a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ec5eae4035deacfe4a99eafc5470b41

SHA1
abd42813a03528efe6398c80ce824d6a66506383

SHA256
b60e7ab80c60948adf037bb2f627c0f984e179c41c7405b3b5873f957ce174a2

SHA512
ef8efb533c6f180fc0d5567b6d6c3b0c04139ecccae10dc2a5ace254977976aaa80f64096cae0425347555ac14a6f675565635cf396aea83a0c7071816b5b27d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6a30b1b7aa03b7f2190a597e246389

SHA1
3be78c64ca34ab4b355029a13424f82f1364400c

SHA256
55b08c96adc7d4a32d42946879e05068b1eb5013b81d8cbd1beb5a2b11da95c2

SHA512
fa5900263bc57c15ad858bae95282936027b34cdebcc25ed298bd9cd530650ab7767ab42ca662d399e7a69850e1ca7d8900dd1cba3637c65a692ffa18d898b87

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f256ca1d809d0aa26e7a9e58a4b0bac

SHA1
db71dc37ac3acd2943b8b01b51f629034970f7de

SHA256
51727bf441bc5ea8ce5fe8f52c7cd53cdf9d9c38db05b5d1f38e535f65de0abd

SHA512
bbb6683c4767da15cd760187338fce79aaad024ad35e04c3f2900a9ae6fb55f183b50f8377f2f6e6e598eb0e6a3f2d016d112d56f88b32065d8ab5effee4d269

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b5a1fbfaca985fe7d0392c568124e6f

SHA1
22d91dba9910dc424cbdfbae8e4af252189f6a5f

SHA256
122dc652144b7c0acbf406ae755b8cd8f1ea108cd74cc613e74b1cb6774fe3b7

SHA512
7acb236ee8d29462475c14f260752f24888bfcdc1e07c9df8a9e55069b4a742f0f7b93d9238ebe65923961b163ce92d0523b0e5345639210a24b7d16c6e5ae14

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70eccda406fb3f163feef3202ee3856b

SHA1
914ad339b8159c4216cd0af54b7b2fb73b410fa0

SHA256
60aa9eef055b71a3c32e577b7663313057a7aa8c12cfa6dd66669cabbbc43a1e

SHA512
f87ca047593dd66f86d20ff7a4cea00927417be626fd193eae7b41adb66682c54abaf1666404b58215d282a5f26888f4800b8caff2608fda96f1a21764ca493e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d146cd077cfa56dfa1708849753bb497

SHA1
c57a79a987312c43e22076180481e5104131d686

SHA256
4f8031bc4aa33c475b404b7effd322c10f9050de05ff8878707f93cd23c6e8d3

SHA512
f6ca8d447a763c25cd123f6add5674ee7a4b21640c1a28722fcfc3990525c5092329463fe6eeb6af6463daf58df6eeee0f368f5a5a266b7d7ef71a394933ef40

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6e101efd6efd38d42ace183537a3654

SHA1
82c25d4c36047c016c29563a762d6fefd11e8007

SHA256
e796b22ff3c8775481e38fd33cd4b26770ab8017ba987e2774f13955d1f7a66f

SHA512
9e789b721f47f9aa4f58217aa6d538b78e23b7214a24a2dc27849f96566e7e60b836506fbcbdfb4571ddd4b9fb924da621d0a77c0ff56657d074e6daaf21387c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d386c96eb689322daae63c3b4f8bf04

SHA1
82a4b4cb033d27fd08f00c5226cfc12a8b774e71

SHA256
c00f715134a1a6e06172447d15e57b798e47413c622e03a7ced4db229f01377c

SHA512
689f7f5ff5b18aa90da519e21c824bac3197dcfbaf13d41f86869c802a3e91d74316a11402685002ba34bdf05213acf20d300909b0ec7a78213806e6bd1b8f35

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffd240ee0ef9ace2ed1d152a5296575e

SHA1
54f5ad84f7ebee19f13526f593f1f97cbbd13809

SHA256
1ac8556d0848954479103bb7992c0d1920d10ad0b1ef5bc9f32a519986ecbd66

SHA512
a8feac701c0dfe62163c9b69738474761865f95181a21b2215949083a0bdb6cfc5b0c0bc19446cbeaf66a83250278dc2f0b883bd8990031cad05f8f0207a19a0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
698364f19508d9a95164b5caab543cba

SHA1
026260c49180c1c82f3808b20233d13a7038a55f

SHA256
ceac8de75ebd362425b0a706d6a99108f0433530487fa133c3caa1e5c94fb5e5

SHA512
537ec7527af38d6527bf2f7eb30a1d6cf972bc84480bd995c5b6e39373d134b6fda3cb9d4486d24f1ec7cba4ccab8c239819aced027d6c9329a5b5c0c7659f1a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81e38afb0b6e7a55b7e8d4db40df61e5

SHA1
a6715cad061265c877222b7e5156c08dd5c9287c

SHA256
62c2488708712f68f627c139a2496ffddf0e048e528cbef31589a34131c7864e

SHA512
dcb84735b7d88d2dba185c8695b12212007a25266a3f9a40c1bfaf9fc81012d0184a92c6baa5545fe9fc52037e6e43c7515db6a6320abea0b8e39cc8191906a1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c932e70cc282123a9644fcda770328

SHA1
35bdabda1d1437e2c8b1d82509dffdcdff47ce34

SHA256
19e1764846b731de2fe98c38f6b105e1e1daf1103f4f98623061a55ea7f54d9d

SHA512
9be36e4db11d3890d4cd1fecb5bbf7038d7ddabdda0483f1cefef905e407289695cd8a28f8675e0859f37429ae8e81bfa970e4e5f9268ffb5ce2dcda9d57e11d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc9edc5c8a6d9dd3d761ea97a1463fbf

SHA1
d85f1aeba2b4a48744b7d36aef3a112eb0249be0

SHA256
55dac0b314ebf7e7c314f0af4521e43d55c8246b150997ef7d0d602ac725e541

SHA512
6a2ae4371481a9f523c5bfa171b731442f58208babf981ed1fd22a459b9606f75bf2d9e8534eb72565103dd78c4939e6b0e06db6d8615c0e8b881b88c7bed861

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bd00e60b723900f9a13a7a34824ea7d

SHA1
427c024e26a5c5e70ce311969953459c49925b02

SHA256
d9d480bad2a5a368626099b3b614c48a680acc65076172a6463bf86b5a0f5429

SHA512
8cd5cde463e43f97834ccd35fed4b6e9f25944ccb2b1f218fbd259f8815c752369d7b722f66091a3c65489bfc41abf83b2ad5d06e7352871a6e21d6f1824127d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5724fe0cbc2f0a2d0d83bb7023fec717

SHA1
5f24424544b1eebea72dc3fb6348e3e3f3208a40

SHA256
664afde719e55a5432c1732d47413ff92805b461c2b5422ed7129a5d3f5e3040

SHA512
7a9f4b6497438c4512c4385ef3744c0fcb125abfe5c5c5be29fa784d2739fcdeedb823e803b7f0ac81d76d26e99ce4a2383d246776f2d8d7624497fc394fd942

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
451fc3b5fdbe50b0e3f6cae8703fc4ce

SHA1
d734a47d24089312277562a43a2d70b761078834

SHA256
95c4b67668a94227329c8fbbf4acf515f55cf70232dd10275605b004a5c21155

SHA512
d476412569a6365b4dfa2795308db6157c81ec7b17de97a15bbfeda3c0f0e0e04418ce1b4a8fe088ec2a7d649fbc47e7f6ec7f90677600d3b0204054edea5e6e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
685970e7b943e6d808d0d82f1aaea212

SHA1
45eacbed90b084fb8c37dc0ad283d423787e6d3f

SHA256
dfdc199b25821c91403ffc80d40f6994ba31e4988c45274baa3cdaa497d67193

SHA512
540a41b9fd661e1a4cc2f2865df2e0768956bb1abdaf8ad47d5df5cf45e0ffdacc477fb7f160286045b70c2977982148bcf2edda3d61557313979948a92b6e30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0332c9594f2f884a8e2dc38f801b8c4

SHA1
5d7030b31b3d34218e4dc73d88be7458883a9ef8

SHA256
378e4b6c9baaae53b635c8acb7317a03407468e2c2f3b8a863ced6d48514dde0

SHA512
811f42d79663d0a2a60c3e6289fe6c687c20ccf85da11dc15e825085a1271246d2982bfa7b84076a20c456a1fa8e45de46a4b4ce272f683dc1255e861004ecdd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5abee6a73c14f57390fb35e892390d8

SHA1
d272760fe0cd642e7f68da3b61543d3053844682

SHA256
f2f4db670e9aef62680e67465e8ffb4cdf432712f422c7e65470b537208775ad

SHA512
b52744000f1cbb397911c011df6e082df136b099c8f0c1f028ebc652ae0435986e316af4df501f48d7462866f88b693236274aa7e3be22e7f487b2ca26317fb1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b2ce0da6b6087907b57378e99043485

SHA1
08513662d97c707867ca5f801442af316648a2b6

SHA256
c1e6cbd05dc3ad3fcb3d3781321f9b2129c1a4a3207b0dffed90c1fbc1afecba

SHA512
3c8208853d4b1983cb19c09ef8dfee6100834ce5f204691b0941b56187a59ce32605a06a826b2eb00735ff9bae6787f62acf716eef1405426e70b233ae70c382

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd2c0ce3e7234eaaf53ee82da2b93c7a

SHA1
1a5b54b6bc4a006a5526ee2eee7e91bb536d2bfb

SHA256
d3a6de685f6307436c31474ebc7bbb1e94c20a3c1d488aa8552dd386b9f15295

SHA512
aa68fc84dd031345d6437af8e0b7a8f5ed760489ebf14273ddeca70a707cd62cba9c3e02b79cedc31f602eef4a82ab80b684e504094082e0ada05799d05b4537

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0974f4de14b987160292383679485c9

SHA1
d54b7852576a1f060e5fa21bcd02c12e720a4635

SHA256
d24752c84cb95c5094ab15da8135c37a163e9dae05b94387980c6ab73c8c87a3

SHA512
b3b493e472e63c36b5faee7095e391d0bf56d705a01cdb7e240449fcb533cb381e28be891a8d7c91a9cb014e21b9b48809a3c41c083001ec119e394ed5cf3895

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0720cf700eb401a25e5bd08ff33b9c6f

SHA1
d9bad2f1b0837ff09bd66c4f5a743089b461a26b

SHA256
317f1d1f27e987267185e2c98ff3003da5b3b86fa447aa80b329bce9a7a1dafa

SHA512
8a53c7cb888be2e7fa39a6e5be197daa20a06968623a62704a19bad27e19dfb649fc1a7675292d96876b6206494ef4f8a89f834a2826aae469b9d2f57bdd2d9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29752cd804484e52cc78b46a528ee335

SHA1
e4200f232f328a35f9b5428640deb5a1afe85779

SHA256
a0288c2000b372349990cfa21fc9596413d68b5c84e624f9b215fc01a12214f4

SHA512
d0712efb15b7fe40ced14cf8147d24c7e288e7ca85df2d76afc8b68b0e490e0202b8082aabc546b7b578b56f43ae58a3647fb7c3d84ca11eacbb56296a967388

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dfb67e196613c779db6b1d8ce87c182

SHA1
3bfafc28d4df0265b5b2efcdc7ddadd61e430ec0

SHA256
1d549f5f53ccb68fd7af2ca677585940398aed5d9918e34be2b3667df5210b2c

SHA512
de4fdecde6d3a54f86bf723709c13ea0297daf008d2486503a60298b00853643f41c7c0f6e2857dfd20a23c12d009526b9ce0c3267ca435a4e473ff45e170bec

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bf44071dfce44e914a6ac234fd39fbad

SHA1
3d466bc0586532325f04349ebf07378a8546cbd5

SHA256
c6aa17e880ceb33b6a535c08fe0221b5df80d3d158be79538963859d9785386d

SHA512
90e30d95117f8d997702a73a59fa42604476899662ea1eb75d08cb8b7588c90bb754d691c4e72477c5c37a0e71fd70f88274bbc5e93dc99c96144e164c06c5cb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
282B

MD5
dd74e2fe22d5594e137db16b476dba8a

SHA1
ea87306a8488f58b874ed91af4367a613b996da1

SHA256
14ce9784828edd441bdad1eb1933bc9140e134aa08cc25af0983008ed273b3c7

SHA512
22ddb320e5218f831a0056443c530cb14ae9838dbaf19f5a96067ccab63fb2cc8b6ce5b1e5197759721bd6bee2d2f9067236d44e377c14859da756f013139089

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabADA0.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarADB5.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\wwwA1FA.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwA1FB.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e4b32216da437b606ecf9898a81c72

SHA1
50e1c50e5c0001623199442f0bf5cc3e617b82eb

SHA256
cddfce50c6469eb59ea4b9f30710af5acc85e809d14617f03e12ac73bcf8b71d

SHA512
38a1100e373bed55b1a0a304051fa262c6e9c0c17110618a063753489acfa52b0e86d98b011db9d706a6cc8334b595c4d786902bd40ebae7c2da554face5e565

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0DD2021-C72E-11EF-A276-7E6174361434}.dat

Filesize
5KB

MD5
7059f3e3a8b9bb408850dc710490816b

SHA1
014048eedff7bc79f9d29e59f3c6149e12939287

SHA256
d459f75eb7cad567f0b4fb437b701003a56557694fec877a1fd60e897034f980

SHA512
47d59f427650396d33fe1217c1321cfbbe73c8703c31a97ce1daa9f1515f70798d50f089940e87ebcdf2938f0ba2e29ca2129a2d9da435bec146559e0b8ce1af

Download Submit
\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78NSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/936-138-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/1776-148-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2092-46-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2092-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-13-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2596-40-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2596-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2596-86-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-35-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3012-1145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-8-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/3012-5-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3012-1-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download