be2ad91acef94958c257147dad7cb49a8a1490d076e4d2d3b08862f6d06a89c4

Analysis

max time kernel
871s
max time network
818s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6miner-v0.1.0-x64-windows.zip
Size

5.5MB
MD5

728501180c56c11ded4881c99a7e0669
SHA1

cf955e4801b243de6455866d9e7bc165a9aff66a
SHA256

be2ad91acef94958c257147dad7cb49a8a1490d076e4d2d3b08862f6d06a89c4
SHA512

dcc84a39fb5766114cbbb656f7065ee7e54aced1140d7fa6125a12d7dbc95ac26ad7610184ab186587aa0e99c62c3737c516accdd45f264c02df4e79591689f4
SSDEEP

98304:7B5LzXHjRZ6MXwbyRedErvf1ay2bz+0Tfzu0te/OTPSGo7TL+F5OSBGyAh9:7BdRIMXwbyIEB03O2iOTaGIvMOQGyq9

Score

10^/10

evasion persistence vmprotect

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

6miner.exe6miner.exe

pid process

4956 6miner.exe
1244 6miner.exe

pid	process
4956	6miner.exe
1244	6miner.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\6miner.exe	vmprotect
C:\Users\Admin\Desktop\6miner.exe	vmprotect
behavioral1/memory/4956-307-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp	vmprotect
behavioral1/memory/4956-309-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp	vmprotect
behavioral1/memory/4956-312-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp	vmprotect
C:\Users\Admin\Desktop\6miner.exe	vmprotect
behavioral1/memory/1244-317-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp	vmprotect
behavioral1/memory/1244-321-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeSearchApp.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\0\0 = 56003100000000006b5584721000526f616d696e6700400009000400efbe6b55586c79558a552e00000065e10100000001000000000000000000000000000000adf73b0052006f0061006d0069006e006700000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{F0EA279E-1FE6-49D3-A0C6-5E3A6AF8D99F}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 56003100000000006b554870100057696e646f777300400009000400efbe874f774879558c552e00000000060000000001000000000000000000000000000000cf9f3000570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\0\2\NodeSlot = "11"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8276"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133126472962156252"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "162"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7192"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1949"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2219"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2844"	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

692 explorer.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6miner.exe6miner.exe

pid process

4956 6miner.exe
4956 6miner.exe
1244 6miner.exe
1244 6miner.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

692 explorer.exe

pid	process
4956	6miner.exe
4956	6miner.exe
1244	6miner.exe
1244	6miner.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe
Token: SeShutdownPrivilege	692	explorer.exe
Token: SeCreatePagefilePrivilege	692	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exe

pid	process
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

explorer.exe

pid	process
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

StartMenuExperienceHost.exeexplorer.exeSearchApp.exeSearchApp.exe

pid	process
4616	StartMenuExperienceHost.exe
692	explorer.exe
692	explorer.exe
3208	SearchApp.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
4748	SearchApp.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe
692	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

explorer.execmd.exe

description	pid	process	target process
PID 692 wrote to memory of 4956	692	explorer.exe	6miner.exe
PID 692 wrote to memory of 4956	692	explorer.exe	6miner.exe
PID 692 wrote to memory of 4268	692	explorer.exe	cmd.exe
PID 692 wrote to memory of 4268	692	explorer.exe	cmd.exe
PID 4268 wrote to memory of 1244	4268	cmd.exe	6miner.exe
PID 4268 wrote to memory of 1244	4268	cmd.exe	6miner.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\6miner-v0.1.0-x64-windows.zip
1⤵
PID:4000

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c786a8d37d2243d6bd145d3ff0daee0a /t 2784 /p 2720
1⤵
PID:2972

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\Desktop\6miner.exe
  "C:\Users\Admin\Desktop\6miner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\mine_hns.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Users\Admin\Desktop\6miner.exe
    6miner.exe -a hns/bl2bsha3 -o handshake.6block.com:7701 -u donate.001 -p x -m opencl --opcl-vendor=nvidia --opcl-no-cuda-fix
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1d7c3d-8fcc-4293-bf3d-faa3c94d2005}\Apps.ft

Filesize
38KB

MD5
7314cfd2fad0b6b527a8fe3e6dd97596

SHA1
4fc9ef6d5e21c77a92010375a0a5942c3fbf4e4d

SHA256
98165953997752f649bbf3479ff75a6a1833984950f41f04aad8ca21a86d00c0

SHA512
0b3bab4cfda37ab597337132f92bdc3d3897ac6810d615b6c62cbed71ba8466039cd4da8763143e6ca16b6553f21a36d42e882c6388d4c1608eddf5fef92301d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe1d7c3d-8fcc-4293-bf3d-faa3c94d2005}\Apps.index

Filesize
1.0MB

MD5
67ba8e7f7f175a2ddba4371f52818d3f

SHA1
ea789f27b78199b51beeea15076b1bb66c6175a9

SHA256
b24597daa08491cde184ea8409d441fd6690490b1491f5cd8086d0afef35d12a

SHA512
ba9befae7761c5d03dc698eff9a7eed83f3a2a6a00080780e4dbe9139fdec800793f205a521857ba26b42b2cec6e0044b121ec1220a30ae6b9a1148920255903

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133138467133253244.txt

Filesize
74KB

MD5
0296c8b686889f5fe724d3e8d60c313c

SHA1
c9c1ab998d5a184eb0346fa9c9a1a51498386268

SHA256
7e575b79fb7ebfedcd0ab4c58232703338a147cc2a296759086601f79956c12a

SHA512
5d8d34d733bf0da9e9d942884bad84ea208ac26b0374d0f192d8b719ac4a6795d73671d9da1b2b36fba07dc4ce0ed40194ea785da8ebf964f50590805f5b3b90

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\2TvScgsXIxM1guNgqMsOzQvjMoA.br[1].js

Filesize
74KB

MD5
86b2114ea914b0ccb51f78985ecd8ea5

SHA1
2197abd7b79a8dd7eca030aaf505aae4e08993ae

SHA256
430e828e7d60369c33b9fe6a600d065dea2aeb986d98f8840aa5c0d23bf3a9fd

SHA512
fb97c7d690e2b4bf7772ccc35b5e45f95e6a039b16f2149a3f07dbecadd5cfd1c118f14fcfd4f64be961efe36b9aceaca2c5c61f9eaba695c74e6ce84019c9e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\6mDplh2-tnrwx7GcRbXrFrcA_p8.br[1].js

Filesize
4KB

MD5
a70b5d2181ae13bed705724c86375f4e

SHA1
3baff0b235c1ea2525191d50ca2fd3011a10145b

SHA256
264b1fbcda5416ebe7b7bd3f5fc347a922e93dcc7e7d0703c9d83d321a52ec13

SHA512
3e717ba639361db04287860ab70e13e3aa601652bb135e2da31394137a8eda7c5c56cf9f5ba15a9215f64d7d52cf3ebef0b3343f1d6cea56227944849f2145ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\6n6KIkjDQPFIwsangwMUwKu18P4.br[1].js

Filesize
134KB

MD5
139f278edfdebeb4dac1a37c2b055216

SHA1
458ff41a835abe323c7c30d515647836bc977f05

SHA256
4c7caa1c654162a553af0345a18dca82835712b464333eeab965b9e9c37814db

SHA512
c9329d4de3ca40e8d2604f7d6c190b547e86ff6f277f66234c5b877924d6d1120fda49a94a3b61818b6df4d452f8a1a082f3ecf7d8c23c5e1f0803d832dd8a08

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\9CoUHSoLuEjBAvav2GP95cHcN0M.br[1].js

Filesize
2KB

MD5
c3546304a0369da28a4e110e84f68401

SHA1
83e5975527a82846c84914ced08271180f485cc8

SHA256
7fc2cb6c6c9743883de1c5e0f200a502b2a02e5a8e922e0e77744044f8b19eb9

SHA512
78073502686954f130b9f2fbc1613c1ba746e23e2f8f341fe2084348c40262456ecd0f07a15636a9019100f0867461f109f5bae88babcfb731318dcaabc2b4aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\9RLIrLi3GlOL2Eylg9IcArIkw20.br[1].js

Filesize
8KB

MD5
e9e0f2c7d9ff4e7ba872a004593454b5

SHA1
2db69a5f85d5afd2c523f8f6b8867eaa4e1125f9

SHA256
24d847fbf4fd59be3529fdfa7542fd3fe9512662927dd482e60d11344175e778

SHA512
f01ac1fed499aab6465f3f1fea96b5036043c260dd8a9029046895768794503264a98e41cc306f54557eac74c228af9a65a1e6cbdcfe6b4e0e8bbbd730f6a6a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\AIIiBKwzFMTaUsvOQjuwJS0aYYQ.br[1].js

Filesize
95KB

MD5
5d0e2943e8bf04a9a4a13590be4b426d

SHA1
751fc26d70057f9f207c264f2189ec37b86b7f61

SHA256
45b602b74682864159b57a34735b115ef7886aa313acfbb37867e81067daa0f1

SHA512
4b8142f7a54e5731d39de452230b01f43e2855c33fc8ddd3b707796de970fd58a7dec5aae7785fc68e740c68fcc85a3710465defe237b1b16b044eda6f09e37d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\AwK8i0vdU1Fr4Ok7IspvNKL6Uak.br[1].js

Filesize
2KB

MD5
6cc241f91435a2074e55cf40715a66a3

SHA1
461a89fd4a1657ddd3ad5f8f0ba553aa040cbebf

SHA256
aefc1baa100056f5b834b5d9cfd1ee523a17951b9ef9f433f3a33900fc975fdb

SHA512
7ae1fc133961e8a388411040450ed700fe34b059aa410193722fca8fd8942425f46518777adcc973bf81e01ce1989a6acd1903c0d588fc7e0dc506e037b68cb1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\BbP74Q2fjHDXtiPV_qE04CaYwbw.br[1].js

Filesize
46KB

MD5
9cda6739c673930227ea6aedaf7f270f

SHA1
1b18dffabea12d90f7db4c7e892cd23b7858d387

SHA256
6db89bb081cc13c1cd74864a0a634ea201223f8cd36b8e0bb5fbef9636e16533

SHA512
07590f8c67836ad48e5f4e9832a49a9bff54c79030385b984d29599e014f6d247a443742fe4f4615564a0ea5f5278ae1cc04e00fad12803d57c46b54c775130e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\C3_WoV2EzgZR6oe1rBJE7szWcS4.br[1].js

Filesize
197KB

MD5
8a94de8125ea3e0b828738d25e37b202

SHA1
b8e3803196610957e2ae26d3df23f77685cb7e4a

SHA256
c1fa1aa1a689cdafbe1ea1126857e6701086d2c40b0e47e5fdef6a0e32d7378d

SHA512
479ce6990ec082555c32c1ab9ac16496ab3d6d549535d91e9e31ca49990ad3ec153f3af8546c09adb72468a5d57e60b14b2be3c232d5b9b1ea4e0cecf6d432d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js

Filesize
128KB

MD5
23c987e711c002d4ca3cd02deedc9bbf

SHA1
c0c26b66ea6793fa884f143e76cb9ad2e0109c7c

SHA256
a1c2f4c8ca6113ebdac36f2c33d6ce19bcf2f4bd99ec06e8ba845e2b25b03322

SHA512
969bc04d69f629f08585c7c2ee23e998d8c91146b912370cf9886a7f0b067e68654a9581c0203da522d30533871e41c1b96bf60f18091b6c7eb86d1a863b5d06

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js

Filesize
17KB

MD5
e86abefe45e62f7e2f865d8a344d0b6f

SHA1
5d4a0a597759412da2b8e9efd1affe8305e7d116

SHA256
5d54790c856ce13811590e18ac3b0aceefefb61258852490f4c5c60748365e89

SHA512
7903c3046865e3d1db040d66b2c052e3e56f791bc035c56d5fc76b28166dc88fdf6212699f98ee598fa6ba76222dd2da9e428f6662430776edbb4982a232c595

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\Init[1].htm

Filesize
210KB

MD5
dc6e4206909a81b8145658431df817dc

SHA1
95f89fd20bc2e98ab7fbd14490cff9e5ff3b6c9d

SHA256
c1afdbb8c064453c4ef4c52da958a8184154cd341e416015fd7b149bcb806998

SHA512
61986e5f8615915dc3059def642248dc15946a6d4d79c8e18077ffb5b7a73d6f00ec16f6055e7086f89f4e9b2a0ab3fbbcd302a43b62d22c2afd4397031c8571

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\K6UQnplsBwsTgSSfAFnbot9BJ8c.br[1].js

Filesize
1.8MB

MD5
8a07e02c46a79bb74137a5f627591db2

SHA1
71523771c94c4666591147d165bd3e6e47e73c28

SHA256
35af173cf262f05b45e45dcdc2df8b209202b8251748d89a77f3454e03480380

SHA512
8f5ad7b9b332f82494811147e4134c1f945965a268ce6ec09956b01037d9bc3bd9f2ed26535c1b2e74d3d1cc218db29da7013f63d9938dcb049a2f9b7c70807c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js

Filesize
15KB

MD5
e515e69b21c49a355d5d4b91764abe00

SHA1
7571f85095e21ba061631d8a38d18623bcabf301

SHA256
365f8b7a23865ca36d1c1f7a25553afddb6223ff524b56d4beb80fdd98c8e057

SHA512
aa38791ce4ed4039a6d63cf6273be8ca0dde2436b8c6e0451937a85652d1c6ea22f38da9fd81ba9a4e877861b507603c88cacbbffe4e6b30ec602396f2b87a81

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\PvVze1dcpBMAPV5PYO5uw3GriyY.br[1].js

Filesize
2KB

MD5
ebc45bdc869c203885b0d3322dceb64b

SHA1
410a9e16c64795de5815519e56e5a3399f71029a

SHA256
ca4f6ace2f342b343573167189121752a640860a7c2882ff81f5ed3d55b6f2b5

SHA512
2a97b14c7ba17b4fa08eb5b08e94db67d6c298ff71b063de81102f7885f3279387b1e80581b1d9f4decd790adfcf5733207aab2c58c0e73948c990c19fad20a7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css

Filesize
6B

MD5
77373397a17bd1987dfca2e68d022ecf

SHA1
1294758879506eff3a54aac8d2b59df17b831978

SHA256
a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13

SHA512
a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\Ryv5AeLQSnk-U44LNucIwHCh2Sg.br[1].js

Filesize
36KB

MD5
643146d25c158fd55992c051d5388169

SHA1
7b1c139ce769d0bc439a8d43eda18be3a9e582ff

SHA256
64b36287d98b964562a49f4e0c07c751084f3e077156588993870af9d967ca67

SHA512
70cf50fc55eef71320f2fa43986eb26dbfaba231703cece8d9ca816e85d851a2c28427237a96c6cd3ef3cfa1ac3d83ba9f3a766079bb637d996ab5ab31653365

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\U7lYsMImC2KOE_VoqxIhF8N5thg.br[1].js

Filesize
10KB

MD5
c71fa35c8852a1d72943055d9aa277b6

SHA1
46e8c8811a875c20d08fb5d63bc61f280fa3a1ad

SHA256
000a7e5f4726722669e8ff8c495990630bfb58d15c0109bce7f06eaf854706db

SHA512
08a8ea128ae3253f8cb91fb8cbe3bcf54f8313b6d21d11090917d5e900066f6f8109bf56a57de829d424457fc3072d42d482246da48cd19ea64d140af9433b45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\VA9SqX6YZSWJrJ6ibXvpRZGCupQ.br[1].js

Filesize
44KB

MD5
6859b06c69a93bd325d6cdb2a5cecbd4

SHA1
5f1b96c6e59054c14d1ee9a3f3a2cbbc70e03b87

SHA256
6a232348034a0564b74d8a293ac8dc15664e26664cd4e071e1d2e740b76d9ec6

SHA512
9166d92cbf6945282259a2ca8d53f6d5986ff81de3d61c191d44a745b093936e21e71132833cb885a829c9bf9e4ce42618bd5e995b7a24929436615df35e91ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\VloYF9FShIwiHcSMbyb4TGer5io.br[1].js

Filesize
326KB

MD5
fe8f91ec5139831fe663f0e2a90fde5d

SHA1
8aebaab85b4096d4b3553847aa5655c3becbf5d6

SHA256
80d9026e1555629a19e88ae897dcf011e6ef1dc46eb7d7bdbc8ba7eb85c703ba

SHA512
5476219a01edf99a389809793344fa4561a7f5ebe58d02c3533bdc607f7da708477da68567b128c4556e826fbdf3ea5b0fd87e12304b3d071410741078182670

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\WeaqEJfS9Yrl9laS6TOxoSX0WqM.br[1].js

Filesize
2KB

MD5
121ad323544f8d0ab4947ca248ae67c0

SHA1
6ebdd821c5ff4ec648f60428086ac57fb4401286

SHA256
828a496f74c81febe572bd1219f7cb4122669e8c1b800468647f169b1cfcbf0c

SHA512
96b93cafcd50cb1325ce86bb8128bf9242250c22495ff238187233cd9da0bf8211005d81beaa7103d55abf7960b03e335a44137183a71bf6519f9505ee467ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\XGTOWbtsOB8bq4oK5IIDOP8Bno4.br[1].js

Filesize
5KB

MD5
acff5d51f07df3add149c7f0d0691be4

SHA1
6af311eb357230534630bbcd469012772fecfea6

SHA256
40b4f56449caed2936add68c02b0e90cd59dfc297af6a9751688ef3fd8ab291a

SHA512
d4218a274666e12eaac1f855e61c0c50277c4cb14cd4ea4796f0660bf88acf9e4602f12e01d5527d34882dbc13ebb22306f5777fe15e6f47a09115ca5c1e4633

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\Xk0n9ycPBpl3ibUiCDpx5bvphM0[1].css

Filesize
5KB

MD5
5d1f1d6481d5004c729cf7c4e299270a

SHA1
3346206f67a5b9d7d96ac1feef2758724d188617

SHA256
6931c8fcd193fb037fcca1f2ed3f3f7c61d775d117c74fb24760b9d648f90090

SHA512
32c0cf86c053474e6741d8687e9baeb968366f9c70c299d49ac8d26ccee1d39a9bd99269727adadda98d2d031e3d1b29407ffd4943640d95f08457ab8ebd3ce8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\Z1XJu_2D0doVffx-LC0pjHj3f74.br[1].js

Filesize
5KB

MD5
12ebb523d3515f1e759f4d6057d50e75

SHA1
f5a40488ef992e99a1465ea3f11f549e759a922c

SHA256
470a8ea070b6b16d687b397267a1cad5933fbce46466e831d9ffe3cad6609c05

SHA512
7cbfedc475d4680a2090c5d2ff210db67ece80d4a3fa3b734e9be3e114a12241a4afdc85c4261617bfd37f16e8619d8f67eb54c87972a878fc17de2785bb08ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\ZD8aWvkpZK5km-1BWuu_Q803Qxc.br[1].js

Filesize
256KB

MD5
5d461f03f11124854318c4b6e0134754

SHA1
5ac968476b7063a5977f2850c251574705a2bc56

SHA256
e24e013de44ca5b8b8e5f515444a329f45986b17c4c7ec4c2232afc7b6cee8aa

SHA512
2915d5329e27fb2630208b31af50a973bc0815e3e233cb129def2b2a1b2360018a554b5f4688c422c7000f32553a7353308694e8a26085ba8a4434f5194b38e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\dpyjyjdeE92g8v7NT2WRfUyfdLI.br[1].js

Filesize
42KB

MD5
a18850db2532d2eb92cdffdbfa97438b

SHA1
3843870fc152fe06058faa8f9638058e2dd97704

SHA256
ad66d54e3e4adf5e948d59c3accc4b099b025020a044e210e1cb51b636d552d4

SHA512
ad9a3fde17e33c0411d8d706e6be2be26a098433dfb762e92a2f57ae49656d8a7840d63811717cf563c2dd398526d7fa11576462182bd1840de32d241afb4c32

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\hPlNScrKKGfUAhwQVepjVKsWqRY.br[1].js

Filesize
1KB

MD5
fe23f243155b13348f13fd6488e0238a

SHA1
ec5f71c1875bc491e157ccd160795fc1e36479e9

SHA256
98377a7d539e735206b81f22ebf2f3321ccd5abca865d3a6cec9588cc0cea5ee

SHA512
876949068a5e0235a80dd1a867351f89a253263ca8a4d33e1e74d573d3f68dc3245ce4caf24fe8ffc1df6efe54c72c9564bd62b3d0396b3076b8008409ce3c75

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\jReNPx8gS5IWDxQLFD-EkpG1n7w.br[1].js

Filesize
1KB

MD5
617cadd50981066d960e52ae44362ab0

SHA1
7e268a834d6a67bd6c06e56b8c2e3732c13bd630

SHA256
e933028aec3448b1202190e2efab00417f2d5abeaed20e6cf579db04c2ee86e9

SHA512
4fe04dcef2b8a9e51fbb94245adcf4d8c15f1f47ea927b580aeeeff7c3d5bb015ffce2cf8bb44963a1f4ce21e57ab3bc97f51889face5066d1f413e41ec83696

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\jptBWImiVIYzQaI0kP9_1gjDeu4.br[1].js

Filesize
3KB

MD5
e0c17b836158929804d3dac0d1000726

SHA1
735c336f62427f7e3eb9e312b844791347b33576

SHA256
4cf825a05be99be456c9f670be6516bf10a9c3fd06d4ce954ba9f0b032f54723

SHA512
3032c7cff6514245b5f1afbdf1f6519731cf05439f89c04e41961c3b74d63a411aada140f7615859fe22f5d2854cb9f592badce07a5033dcceae71749d44ca62

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\kbAAuhaaEutXOrxtF8TNG8W9v1I[1].css

Filesize
208KB

MD5
96e76b3573588bdd5618a54a2afe5024

SHA1
ba24780b9f260f42182d5a71f7bda935390cb728

SHA256
ca3912af371e857dc282688ebec4c034856c9129237988613f81f07179f825fa

SHA512
acf1e5e8eec7b5690450866899649beb1937dcc8e292b0158625a0333bd4f4cf85f4013d6ff888ecce6d01a4e22e5e3c573032b244ae157a210d33b08cdf94fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\lvO9r_utFfNYhfhkVKsJzZuaY3Y.br[1].js

Filesize
95KB

MD5
a574d270be0177dae563ccb6974751c3

SHA1
b5558528aa241598b629d52340cf35f512149f60

SHA256
bad8e5b64ade165e2cea644a355fbbdb7cc7dae853256078c85d5a447e1fb9e3

SHA512
b84a80922764c3e2df603a6883356c35096212dfc0af59ed892af1af16d44eaf4accc2b269c83701821d057ec923b6144f736c2c3c6c1bdcbe7a60a406717ca6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\onra7PQl9o5bYT2lASI1BE4DDEs[1].css

Filesize
65KB

MD5
d167f317b3da20c8cb7f24e078e0358a

SHA1
d44ed3ec2cde263c53a1ba3c94b402410a636c5f

SHA256
be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad

SHA512
afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\qRqw0fKEID_9I4HEO5LDdD8CaWE.br[1].js

Filesize
52KB

MD5
a5c99328f8ddbf8ceec9f8156150d001

SHA1
4187c8884930b06621b4d311460c9d7062e903ad

SHA256
05d0046198336f88241f3d2703c54350e98f5f6c9fd69824f342712b3d11d186

SHA512
e545b2d4dcf9c7ec8bba96337dfd0e7fd17973592daf34f40d4edf5b9a81c5d6be175af25fc43acb507f8a00993dfddb50e0ef84a0f062bea082bf74851cee4a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\qv7SaK6Hh2LcbHkaUK4eKm-I3l4.br[1].js

Filesize
31KB

MD5
948209220379be45d32830ebc2223fd3

SHA1
06bdc371d2d0fb7d165d15991c757fc0a5fb2d70

SHA256
3bcd380040b5ce3978ad561fab1b5a1b6720fb5ed42abc2e87d82d8f80b7117d

SHA512
f5c29c74a0c05befc798f9772540465b58987633c20e7a8b470c245ca33275cda9f6b270ea7a47993688b5a0f5365d88fd73bb894207941130806a3f78297f86

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\t8shg5d7KiteLFdk0T__nZRbsds.br[1].js

Filesize
15KB

MD5
b2fc483e05387f3d76bcb3da72b05773

SHA1
93ba6e9e94c5435d9a839321096e3e883b49378f

SHA256
001718daf3df6a85ffdc59f7d12039301e7aafaa16ccf96889729fbd5e1de0db

SHA512
c3a07abb24eebf05806cd84c53bb414620b7a8e5afda2d9b9c2d3c811257b0f26c99fc5a7236e6b0d49fd0b6e08a9ff9a5b6ec259f4c3319f2c372d09eeb495c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\uANxnX_BheDjd2-cdR8N9DEWlds[1].css

Filesize
19KB

MD5
50d88809e1775e354015b7922ffb1529

SHA1
e8f06b39d2f45166916d534c3dce5e3ec43d465e

SHA256
f97b7c6a2949aaff58e70faf2c61123d7b111ca675ed3a476613d4d34932b7f6

SHA512
2220661d17914126be8d62dd468861ecfea3348822e62fa5a949ff15d41cec6e78457d5bd94e8b663a245fd993d750f35706c233e254c51cb01f3054b0c5284a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\vp6XxLuSEAVVGtZVJpk2UpHOiyE.br[1].js

Filesize
106KB

MD5
efc5b53d07cb9d1c1fc0da0c2eb0f5b8

SHA1
03b1c4499ea2010390ed56cf15b30b988a5b4688

SHA256
4fcf8eccf9d570f6575f9117ffc978673ca4df5548ae34a043a5497abda703db

SHA512
25e52e56172900320469747a5eecda0c9f0fe8f0cf98ef242f76d12f27fbdfb1ac395ea0f68f517d04449c87e417dbb1d019cb8a8e24f1df3cc857b40574a1c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\w9zqVJkEZ_qpNCqYvGYoqL8BWm0.br[1].js

Filesize
118KB

MD5
129776db6ba6bea4af70cdb1ea56942a

SHA1
12bfe666c0b57b134e7b8b88bcf1a0c3b5dcf3cd

SHA256
2d55886903198e35295b8e90738da47859837baba26d47e15bac87f90ee608d3

SHA512
aedf99a152b97be6a57f0d1fb1dd43b0bb69508eae65b3a054024cd9e5dd59670ebeaff6ce7525e2b7263bbd7c963c30659628f9a2df16410674871538def94b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\QDNB016T\3\xZtFP6ADa5r6W-Gs9azRy1BzdoM.br[1].js

Filesize
14KB

MD5
c994b0da70ad36c2b4dc49a48e249bda

SHA1
fcd2f1cfdc33a946e393420c7a36c7ffc28b77b9

SHA256
7baa4579de695048f2b372780b43e0b1d80ea9dbc43e45850cf6d488c745d3c4

SHA512
dbaefcedd87defb461df22f2f4d300ca156859aa67b02dfb19c9c178fef2b2746633a8f14d4f3f297af6369fa7e770bd07bcba7ebd0c79d9c7d7de660b08f238

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\H7CY52PH\1FLtrEdHrNq7YDeeCYhb8ssigCI[1].js

Filesize
21KB

MD5
4fbd3f0588a267ff74b33c96803217bb

SHA1
6220502ce22bf4f3fa307d684de41aee6c29417d

SHA256
eb33166fa3c2d27116676731ec19c2e68610b40ef408e60951b0f201178a1217

SHA512
00fdd7e684763fbd80298a52477772564fb210a63f807d5b0557386656a39b1c7d0653346aeb929cf9f9cd481303216fad19a6a97b3ae5acbf8f22afc348a78a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\QDYBITXD\Ane5LYLWhZhlI27dRgdM_U8g7Wo[1].js

Filesize
52KB

MD5
7b115688439106b243e7529f2b1e7209

SHA1
5eba4e48d71f84b29fa0fc4a1e4de9e5b36eee72

SHA256
3af230fd3148067706955368dfda26ae6e0090cee74023e2d5f99a926d392ea3

SHA512
52e83f608dba5c22f9362e373410a4349231b09045adb443e1388e8a3816254c593290cb808c6a04ba05e4a6d3528be5fd38fd1dc59c441688f12b381eb5481d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
64bd9a644bd182581368e3ce024dad9a

SHA1
1520bd16d65200bfa86d889eb88f4f62a65dd007

SHA256
5814095df174f580f08019718d2f8d05177276906620e36564588ba4b19ddfdb

SHA512
af1ec9959334ae377a1b199a44ec31a3cadc1273512f8a2644eb8b3b21f24d4afe1c0515a3bb685bd35a0856c2d6383504ee7e72ae67f87f3bda0a8ff91ec5db

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
cb7979e8d1d01b4c0c9640b3c28acd17

SHA1
045b8fe7ad8ce3ea51a9ddf3eef0516e1d8707ca

SHA256
b771a3f4e891b140f25058e09939c88ec7ae6f2950d078d6e8993b3bd3d025aa

SHA512
9fd56c1deb132a0091ddd141b9d360fd69444e1b3882964857555539f8791d0afea6ff3c0b9dd50d60ae7212d0cf6c949aecf7ac67ede85e98a290ab5eb29447

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DB12P5ZP\www.bing[1].xml

Filesize
325B

MD5
b9cb467ffe90cd61f36b64bb18f5ec12

SHA1
fa6530967869751ce9d622f266f4b20ad37dc9ac

SHA256
7c329cef563693019dfd0e42a021a9138733fbace61c56232c2b854b1447fa57

SHA512
022e25ce42ffa6cafefec2f4886cb463fa82f1dcce3eb7692f0c152d6f98282dece80438179a38d05cc1a5545c2611f6f90e8d096cd861707ef426a7891f06c7

Download Submit
C:\Users\Admin\Desktop\6miner.exe

Filesize
6.1MB

MD5
49880abbf0de9ba459065f03cd7992b1

SHA1
96fa63f06f35327b338c85b744c2e152d6a76c9d

SHA256
7c3ba3175d6d185f5ad6a7ea7709b66ed84a2e3766b9971d1b17eb8524a9a982

SHA512
84b5f02df90e0d0b5555a47056c6b875dbf00dc9c4d9101ff486a0d3f3f78a21fe30dd114920a32b04382d89edf3298bed6e0f687878eb628bf9df6e81fa0a4f

Download Submit
C:\Users\Admin\Desktop\6miner.exe

Filesize
6.1MB

MD5
49880abbf0de9ba459065f03cd7992b1

SHA1
96fa63f06f35327b338c85b744c2e152d6a76c9d

SHA256
7c3ba3175d6d185f5ad6a7ea7709b66ed84a2e3766b9971d1b17eb8524a9a982

SHA512
84b5f02df90e0d0b5555a47056c6b875dbf00dc9c4d9101ff486a0d3f3f78a21fe30dd114920a32b04382d89edf3298bed6e0f687878eb628bf9df6e81fa0a4f

Download Submit
C:\Users\Admin\Desktop\6miner.exe

Filesize
6.1MB

MD5
49880abbf0de9ba459065f03cd7992b1

SHA1
96fa63f06f35327b338c85b744c2e152d6a76c9d

SHA256
7c3ba3175d6d185f5ad6a7ea7709b66ed84a2e3766b9971d1b17eb8524a9a982

SHA512
84b5f02df90e0d0b5555a47056c6b875dbf00dc9c4d9101ff486a0d3f3f78a21fe30dd114920a32b04382d89edf3298bed6e0f687878eb628bf9df6e81fa0a4f

Download Submit
C:\Users\Admin\Desktop\mine_hns.bat

Filesize
286B

MD5
309b69c521b10b4021a87f981c1ceea0

SHA1
c91c3d029044564ae2b6f5afca45a25671779e47

SHA256
b34844b2abd3959b395b4d8f2f40fe6d1436a26bdce8092611db3eaa2d2eb4c1

SHA512
7f10feee81d3af94e0efdea0927df002534d9d3832c1882b17a6f7528d4de99d94deb8434156dd1eb4ad45d21d2671839dd54ad9574bc55af7aa78d6752b14d8

Download Submit
memory/1244-315-0x0000000000000000-mapping.dmp

Download
memory/1244-321-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp

Filesize
14.7MB

Download
memory/1244-317-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp

Filesize
14.7MB

Download
memory/3208-229-0x0000022F0002F000-0x0000022F00033000-memory.dmp

Filesize
16KB

Download
memory/3208-234-0x0000022F00033000-0x0000022F00036000-memory.dmp

Filesize
12KB

Download
memory/3208-226-0x0000022F0002F000-0x0000022F00033000-memory.dmp

Filesize
16KB

Download
memory/3208-228-0x0000022F0002F000-0x0000022F00033000-memory.dmp

Filesize
16KB

Download
memory/3208-230-0x0000022F0002F000-0x0000022F00033000-memory.dmp

Filesize
16KB

Download
memory/3208-235-0x0000022F00033000-0x0000022F00036000-memory.dmp

Filesize
12KB

Download
memory/3208-143-0x000002376E910000-0x000002376E930000-memory.dmp

Filesize
128KB

Download
memory/3208-239-0x0000022F00036000-0x0000022F00039000-memory.dmp

Filesize
12KB

Download
memory/3208-232-0x0000022F00033000-0x0000022F00036000-memory.dmp

Filesize
12KB

Download
memory/3208-224-0x0000023771FE0000-0x0000023772000000-memory.dmp

Filesize
128KB

Download
memory/3208-222-0x0000023774E50000-0x0000023774E58000-memory.dmp

Filesize
32KB

Download
memory/3208-227-0x0000022F0002F000-0x0000022F00033000-memory.dmp

Filesize
16KB

Download
memory/3208-233-0x0000022F00033000-0x0000022F00036000-memory.dmp

Filesize
12KB

Download
memory/3208-238-0x0000022F00036000-0x0000022F00039000-memory.dmp

Filesize
12KB

Download
memory/3208-240-0x0000022F00036000-0x0000022F00039000-memory.dmp

Filesize
12KB

Download
memory/4268-313-0x0000000000000000-mapping.dmp

Download
memory/4748-298-0x0000021EB94A0000-0x0000021EB94C0000-memory.dmp

Filesize
128KB

Download
memory/4748-295-0x0000021EB91D0000-0x0000021EB91F0000-memory.dmp

Filesize
128KB

Download
memory/4748-294-0x0000021EB89B0000-0x0000021EB89D0000-memory.dmp

Filesize
128KB

Download
memory/4956-304-0x0000000000000000-mapping.dmp

Download
memory/4956-312-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp

Filesize
14.7MB

Download
memory/4956-309-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp

Filesize
14.7MB

Download
memory/4956-307-0x00007FF6D7B20000-0x00007FF6D89DE000-memory.dmp

Filesize
14.7MB

Download