Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x2x7racchj
Target a169003918d23a41e228f8030b458f9e.exe
SHA256 cfe2b6781d8cbc4cd1bc34c2a5ee42c966ce0ba9d84c6ef69942d5a050111860
Tags
adware discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfe2b6781d8cbc4cd1bc34c2a5ee42c966ce0ba9d84c6ef69942d5a050111860

Threat Level: Known bad

The file a169003918d23a41e228f8030b458f9e.exe was found to be: Known bad.

Malicious Activity Summary

adware discovery persistence stealer

Adds autorun key to be loaded by Explorer.exe on startup

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win7-20231215-en

Max time kernel

133s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bokpkov = "{70249986-5370-4D56-BE4F-6F8163E6B721}" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm = "{9E1AE6A9-15B9-4A57-8D1B-799AE9A86C1D}" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5908DD9F-AB4F-4244-9799-435AD9B55220} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\drnpfdxqvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\fmsxwqs.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\etlrlws.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\altvxvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\drnpfdxqvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\altvxvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\fmsxwqs.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\bokpkov.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\bokpkov.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\etlrlws.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{8853C284-DF46-469C-837F-6C9FDC2A3029} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\0\win32\ = "C:\\Windows\\drnpfdxqvm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\CurVer\ = "GNX.Rolex" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ = "_IavdsEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\ = "etlrlws" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\TypeLib\ = "{B3449DEC-5477-4D4F-BC27-04B4A4365225}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\ = "GNX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70249986-5370-4D56-BE4F-6F8163E6B721}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70249986-5370-4D56-BE4F-6F8163E6B721}\InProcServer32\ = "C:\\Windows\\bokpkov.dll" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E1AE6A9-15B9-4A57-8D1B-799AE9A86C1D} C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\ = "Iavds" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E1AE6A9-15B9-4A57-8D1B-799AE9A86C1D}\InProcServer32\ = "C:\\Windows\\altvxvm.dll" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\ = "Iavds" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\HELPDIR\ = "C:\\Windows\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1\ = "etlrlws" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ = "Ibqnw" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E1AE6A9-15B9-4A57-8D1B-799AE9A86C1D}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\ProgID\ = "etlrlws.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\ = "etlrlws" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ = "Ibqnw" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ = "_IavdsEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.bqnw\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\TypeLib\ = "{B3449DEC-5477-4D4F-BC27-04B4A4365225}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\HELPDIR\ = "C:\\Windows\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\InprocServer32\ = "C:\\Windows\\etlrlws.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2876 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe

"C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s etlrlws.dll

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe C:\Windows\bokpkov.dll bokpkov

C:\Windows\SysWOW64\cmd.exe

cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsd1068.tmp.bat "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe resot

C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

fmsxwqs.exe reg

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\drnpfdxqvm.dll

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe C:\Windows\altvxvm.dll altvxvm

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

MD5 b39297d67ace2dfcbe18f05a9305fcdd
SHA1 15ea67c95d502cc21370145d610f313928da8e40
SHA256 fa36cc0c0abeb34917492e91c4761f5728b09202cc22e0ce693b380a97d4a2ca
SHA512 7a5ea05c4b65cf9366ee71118b4ab1c12d57c678bb7903ce48a21f8e44796e94abc2e9759a4f828a8c61085388259055cc20952a1eea176b72f8834d29464cee

C:\Users\Admin\AppData\Local\Temp\ac8zt2\bokpkov.dll

MD5 0f2a9b99c1ee35460fa8342abeb811cf
SHA1 aed04b62c5f190b42e3e097a4b4f0e4050b1d379
SHA256 dc72b09de1605b453f29c2be22698d609ec250664b13f7efba67d5f7583a60cc
SHA512 70c69cbcd8bcb35e5e1854c18f0a3dfa205a7e84bfdeb766935b86636741392d4093df9bedbc3b02aaf94989e0eae79539f66954911b8919b2dc26a9c44ada7a

C:\Users\Admin\AppData\Local\Temp\ac8zt2\etlrlws.dll

MD5 c93de9f81b4bcad2a3b662b816ea515b
SHA1 e5c560fa6fdfb544318a6fcd478ee071fa0bdb9f
SHA256 3993623c186dc28c79dff4a3837f889352481e8e0bbc25878498bd3738f51b34
SHA512 c3a676c4ecf135d36b5b42d7ee871ad5e45426a763aa190c86e4d1aa88e8ef62facd76ff3487eca97ca01e6c329826e8c03f42dddd9837833b194b79fab1bed7

C:\Users\Admin\AppData\Local\Temp\ac8zt2\altvxvm.dll

MD5 5adbeca70b6fd47a7a7d226b6c07db35
SHA1 adf21cc56d6a2875f0f3163e019663a69a62883e
SHA256 fabab4b8a1627aa01f94997b5243322b9bb527d05890474bf638f16debc2478b
SHA512 326301d81ada859305dde00c78e08c487432f06d1029ef2a78422e331c1526806df2f6f163b864df323ca7ebe3079bf9a90c94e86bda196ab8c7d4bb6f3c51c9

C:\Users\Admin\AppData\Local\Temp\ac8zt2\drnpfdxqvm.dll

MD5 a191063294b95df9c5f1734243a3abcb
SHA1 d6539737335d698259cf132509178fae42bcf930
SHA256 79c3827b60856aed73ce04a3c7fd3474a1a0f4f8caf90b2f9ce03b1e9de78026
SHA512 6d6b27d305d15b77a6f19f7f527cdadeb61ee33c33d6c2231d5c7a65f82d267d812717589841252aacf31968ff63b922aa14c337cfe4481307262d75750ebc37

C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

MD5 49f1cf8df1a47e9991d3ad3eeff7180f
SHA1 b23470a749df6d2a33ad97116510bcce2df44a4a
SHA256 d38afd2ce3a785e5e580cef69db96365ac83b17591c249252c7c0e9c5103fc24
SHA512 d4380995748abfdc7b12f48a9f2321cefb2079834218195f6a307432c2775de5e481b1c6f94390c71b207467da032afae40ada2c85ce31b6da4ca6b25f8a7e48

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

MD5 b4603bf962319153e1b7e78c88d9c8ce
SHA1 20af0d302057e0ff5eb1fa2eb80078e1941f99de
SHA256 ce8050818ad6f1a97326642679076c73a66d82ce288ce51ae4fae54bce786ef2
SHA512 49ff00a7187413d3b4e3c2b57e858a0dcf374987971e8ca7c3c9dc4dfe658a6a0bb3e1e9e56c6b291c1cd1c23ee03409412d6c4291e9b32cb6582e34351a6a40

C:\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\System.dll

MD5 7d85b1f619a3023cc693a88f040826d2
SHA1 09f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256 dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA512 5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

C:\Users\Admin\AppData\Local\Temp\nsd1068.tmp.bat

MD5 4c11940d880aa2b65bf4532ac6b7d90a
SHA1 4bc01f898d6720ea5b754d080c1cda9815343f0b
SHA256 f71df0264de7e5f8f487929531066182bd19e375feeef0456593ba973abddc8b
SHA512 60a03ea5692782841cf514a8e951378dbffcdc5ab5b3f0a6a2db6b3290edc8012ea3490920dfd984778db371f53342fc15c71c548952caa2c5c5a4f4b77ba1c7

memory/2192-103-0x0000000004410000-0x0000000004411000-memory.dmp

memory/2192-104-0x0000000004410000-0x0000000004411000-memory.dmp

memory/2192-108-0x0000000002630000-0x0000000002640000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win10v2004-20231222-en

Max time kernel

33s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bokpkov = "{3FC22D86-ED03-4C04-95BD-F69AEDC2112F}" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm = "{79D90725-AC16-4787-A7C0-EF6A63636919}" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: N/A N/A
File opened (read-only) \??\F: N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5908DD9F-AB4F-4244-9799-435AD9B55220} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\altvxvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\drnpfdxqvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\drnpfdxqvm.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\fmsxwqs.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\fmsxwqs.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\bokpkov.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\bokpkov.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\etlrlws.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\etlrlws.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\altvxvm.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU N/A N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{8853C284-DF46-469C-837F-6C9FDC2A3029} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ = "Ibqnw" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\ = "avds TL" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\TypeLib\ = "{01B9CA2B-180E-400D-9338-A5D6AECC5893}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DBBFB6B-1A0D-4875-BF43-0FBE1138F812}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\etlrlws.bqnw\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{AD08DD64-FCB7-41C9-ACA1-93E6282CEEF6} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{2A407FDC-B913-4903-A732-0BC6939E7308} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70967210-9B9D-414A-8539-CD526765D4EF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\ = "GNX Rolex" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3449DEC-5477-4D4F-BC27-04B4A4365225}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FC22D86-ED03-4C04-95BD-F69AEDC2112F} C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26944CB2-7AEB-4C11-A0A2-25F099CE103F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8853C284-DF46-469C-837F-6C9FDC2A3029}\ProgID\ = "etlrlws.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5908DD9F-AB4F-4244-9799-435AD9B55220}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01B9CA2B-180E-400D-9338-A5D6AECC5893}\1.0\0\win32\ = "C:\\Windows\\drnpfdxqvm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FC22D86-ED03-4C04-95BD-F69AEDC2112F}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79D90725-AC16-4787-A7C0-EF6A63636919}\InProcServer32\ = "C:\\Windows\\altvxvm.dll" C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{0896A62D-AC52-4924-8B96-3A3D12D32D37} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2112 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2112 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
PID 2112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
PID 2836 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe

"C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s etlrlws.dll

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\drnpfdxqvm.dll

C:\Windows\SysWOW64\cmd.exe

cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsj5130.tmp.bat "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe resot

C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

fmsxwqs.exe reg

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe C:\Windows\altvxvm.dll altvxvm

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

eotk.exe C:\Windows\bokpkov.dll bokpkov

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsd4EED.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

MD5 b39297d67ace2dfcbe18f05a9305fcdd
SHA1 15ea67c95d502cc21370145d610f313928da8e40
SHA256 fa36cc0c0abeb34917492e91c4761f5728b09202cc22e0ce693b380a97d4a2ca
SHA512 7a5ea05c4b65cf9366ee71118b4ab1c12d57c678bb7903ce48a21f8e44796e94abc2e9759a4f828a8c61085388259055cc20952a1eea176b72f8834d29464cee

C:\Users\Admin\AppData\Local\Temp\ac8zt2\bokpkov.dll

MD5 0f2a9b99c1ee35460fa8342abeb811cf
SHA1 aed04b62c5f190b42e3e097a4b4f0e4050b1d379
SHA256 dc72b09de1605b453f29c2be22698d609ec250664b13f7efba67d5f7583a60cc
SHA512 70c69cbcd8bcb35e5e1854c18f0a3dfa205a7e84bfdeb766935b86636741392d4093df9bedbc3b02aaf94989e0eae79539f66954911b8919b2dc26a9c44ada7a

C:\Users\Admin\AppData\Local\Temp\ac8zt2\etlrlws.dll

MD5 c93de9f81b4bcad2a3b662b816ea515b
SHA1 e5c560fa6fdfb544318a6fcd478ee071fa0bdb9f
SHA256 3993623c186dc28c79dff4a3837f889352481e8e0bbc25878498bd3738f51b34
SHA512 c3a676c4ecf135d36b5b42d7ee871ad5e45426a763aa190c86e4d1aa88e8ef62facd76ff3487eca97ca01e6c329826e8c03f42dddd9837833b194b79fab1bed7

C:\Users\Admin\AppData\Local\Temp\ac8zt2\altvxvm.dll

MD5 5adbeca70b6fd47a7a7d226b6c07db35
SHA1 adf21cc56d6a2875f0f3163e019663a69a62883e
SHA256 fabab4b8a1627aa01f94997b5243322b9bb527d05890474bf638f16debc2478b
SHA512 326301d81ada859305dde00c78e08c487432f06d1029ef2a78422e331c1526806df2f6f163b864df323ca7ebe3079bf9a90c94e86bda196ab8c7d4bb6f3c51c9

C:\Users\Admin\AppData\Local\Temp\ac8zt2\drnpfdxqvm.dll

MD5 a191063294b95df9c5f1734243a3abcb
SHA1 d6539737335d698259cf132509178fae42bcf930
SHA256 79c3827b60856aed73ce04a3c7fd3474a1a0f4f8caf90b2f9ce03b1e9de78026
SHA512 6d6b27d305d15b77a6f19f7f527cdadeb61ee33c33d6c2231d5c7a65f82d267d812717589841252aacf31968ff63b922aa14c337cfe4481307262d75750ebc37

C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

MD5 49f1cf8df1a47e9991d3ad3eeff7180f
SHA1 b23470a749df6d2a33ad97116510bcce2df44a4a
SHA256 d38afd2ce3a785e5e580cef69db96365ac83b17591c249252c7c0e9c5103fc24
SHA512 d4380995748abfdc7b12f48a9f2321cefb2079834218195f6a307432c2775de5e481b1c6f94390c71b207467da032afae40ada2c85ce31b6da4ca6b25f8a7e48

C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

MD5 b4603bf962319153e1b7e78c88d9c8ce
SHA1 20af0d302057e0ff5eb1fa2eb80078e1941f99de
SHA256 ce8050818ad6f1a97326642679076c73a66d82ce288ce51ae4fae54bce786ef2
SHA512 49ff00a7187413d3b4e3c2b57e858a0dcf374987971e8ca7c3c9dc4dfe658a6a0bb3e1e9e56c6b291c1cd1c23ee03409412d6c4291e9b32cb6582e34351a6a40

C:\Users\Admin\AppData\Local\Temp\nsj5130.tmp.bat

MD5 987bfd6d413a0f3fa5afa959c06c11ea
SHA1 df106fd4dff4cf812c9147a6f31a91462fa81f8e
SHA256 f4b94b6baeade7dc368b54bdbd36549080c13db406695051ee7f1bc3937fe97a
SHA512 4f76a78c2ff9e91e343b274ef2b5f7f433db8e62a0306ec1a0d16026545fb9115cfb1293151cfbe5217f9a9a0f6db43a3bf3cf16586b3eccccadb80da97806ff

C:\Users\Admin\AppData\Local\Temp\nsd4EED.tmp\System.dll

MD5 7d85b1f619a3023cc693a88f040826d2
SHA1 09f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256 dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA512 5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 18f610e65c179e9fdfc685edbdf34f95
SHA1 ec89ec05c5fb9ab51d48d15cec871323d6821aff
SHA256 6eab4d9a5e5697d8e2eb72b03524632ed17def1a6283853499288d0a1e6b3d1c
SHA512 12a0bac528cbca464644e5b6126b3729132d158bfad3645b989a3a234e3ccf31bc0a4fb8f495e5d7aa7e8d084bf1cc16a0c725a296f02b8857f4ab2ebf547021

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 7f3b3a14cfaf12d9141e17827dacb2e6
SHA1 23b3146e75a2b5902b59039cf2694638d63c5577
SHA256 55f64cc8ce3e8a58e2253ce253ff18615ff22cd11e64fd32bb268a0ed829d0ce
SHA512 89977bb96a97157da211ff169535de43196a3d65e0bf50e791df52b6325cff15b67f51b2b1aa783a793965bedb8aedb2f52a6e24aab3baf278d1224f80fc4ac7

memory/2040-121-0x00000000043D0000-0x00000000043D1000-memory.dmp

memory/4400-127-0x0000020165CA0000-0x0000020165CC0000-memory.dmp

memory/4400-129-0x0000020165C60000-0x0000020165C80000-memory.dmp

memory/4400-131-0x0000020166280000-0x00000201662A0000-memory.dmp

memory/3252-145-0x0000000004120000-0x0000000004121000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\V50TXLKS\microsoft.windows[1].xml

MD5 0dd9849d7dcb276fe7952fbef01f27d2
SHA1 696b4212cc8a84291f88203695dbfe81567db0b9
SHA256 ab905cb2e3d901f2d2e2abbe041717c3c220c2fbf8f5a6b84554246918e1ccd0
SHA512 7c9ee87c2c2a4bb137141e1fdf4d5f64e3873c734dc3848bc98d9f4c5511c11124a700ce84c927ad8d76f6afbd3f8fa653a70f744927517249fda132767ca715

memory/3916-153-0x0000017072220000-0x0000017072240000-memory.dmp

memory/3916-155-0x0000017071FD0000-0x0000017071FF0000-memory.dmp

memory/3916-156-0x00000170725E0000-0x0000017072600000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 e64affa349fb7e8c8d0c8a1965c039ff
SHA1 36c40b40cdf02fbd4b6b00322197da70852d43ab
SHA256 9f620ecbb15c02dc7022ad90734766c8d87c38367fcf1ce596bf5f198cce05a1
SHA512 7e729cba695a400019fc13fabaa7826e8b692a7ae9b97e74b6f79903b423167399a531f3d1b0385ef4c1ff10f3fa0b7c2fc4237bfeff16ff4d9b7a8281543bb0

memory/4972-169-0x0000000004940000-0x0000000004941000-memory.dmp

memory/2112-176-0x00000228C3EB0000-0x00000228C3ED0000-memory.dmp

memory/2112-178-0x00000228C3E70000-0x00000228C3E90000-memory.dmp

memory/2112-181-0x00000228C4280000-0x00000228C42A0000-memory.dmp

memory/1164-191-0x0000000004490000-0x0000000004491000-memory.dmp

memory/4956-199-0x00000231C9460000-0x00000231C9480000-memory.dmp

memory/4956-201-0x00000231C9420000-0x00000231C9440000-memory.dmp

memory/4956-205-0x00000231C9820000-0x00000231C9840000-memory.dmp

memory/2268-215-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/4648-222-0x0000025979A60000-0x0000025979A80000-memory.dmp

memory/4648-225-0x0000025979A20000-0x0000025979A40000-memory.dmp

memory/4648-228-0x0000025979E30000-0x0000025979E50000-memory.dmp

memory/2696-237-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/3272-245-0x000001F6B5C80000-0x000001F6B5CA0000-memory.dmp

memory/3272-247-0x000001F6B5C40000-0x000001F6B5C60000-memory.dmp

memory/3272-250-0x000001F6B6050000-0x000001F6B6070000-memory.dmp

memory/4512-261-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3068-269-0x0000017CA48A0000-0x0000017CA48C0000-memory.dmp

memory/3068-271-0x0000017CA4860000-0x0000017CA4880000-memory.dmp

memory/3068-274-0x0000017CA4E80000-0x0000017CA4EA0000-memory.dmp

memory/1968-285-0x0000000004560000-0x0000000004561000-memory.dmp

memory/2000-291-0x0000020E7CB30000-0x0000020E7CB50000-memory.dmp

memory/2000-293-0x0000020E7CAF0000-0x0000020E7CB10000-memory.dmp

memory/2000-297-0x0000020E7D100000-0x0000020E7D120000-memory.dmp

memory/3768-306-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/4136-313-0x000001E811590000-0x000001E8115B0000-memory.dmp

memory/4136-315-0x000001E811550000-0x000001E811570000-memory.dmp

memory/4136-317-0x000001E811B60000-0x000001E811B80000-memory.dmp

memory/4368-325-0x0000000002890000-0x0000000002891000-memory.dmp

memory/1980-332-0x000001DEAC5C0000-0x000001DEAC5E0000-memory.dmp

memory/1980-334-0x000001DEAC580000-0x000001DEAC5A0000-memory.dmp

memory/1980-336-0x000001DEAC990000-0x000001DEAC9B0000-memory.dmp

memory/1484-347-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/4592-354-0x000001F3CD240000-0x000001F3CD260000-memory.dmp

memory/4592-356-0x000001F3CD200000-0x000001F3CD220000-memory.dmp

memory/4592-361-0x000001F3CD610000-0x000001F3CD630000-memory.dmp

memory/4224-369-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/744-376-0x000001FF45020000-0x000001FF45040000-memory.dmp

memory/744-378-0x000001FF44DE0000-0x000001FF44E00000-memory.dmp

memory/744-381-0x000001FF453F0000-0x000001FF45410000-memory.dmp

memory/3928-391-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/2008-398-0x000001C9E7270000-0x000001C9E7290000-memory.dmp

memory/2008-400-0x000001C9E7230000-0x000001C9E7250000-memory.dmp

memory/2008-402-0x000001C9E7640000-0x000001C9E7660000-memory.dmp

memory/2576-413-0x0000000003470000-0x0000000003471000-memory.dmp

memory/4240-422-0x000001F093C80000-0x000001F093CA0000-memory.dmp

memory/4240-424-0x000001F0942A0000-0x000001F0942C0000-memory.dmp

memory/4240-420-0x000001F093CC0000-0x000001F093CE0000-memory.dmp

memory/1392-435-0x0000000004380000-0x0000000004381000-memory.dmp

memory/3176-442-0x00000257BB240000-0x00000257BB260000-memory.dmp

memory/3176-444-0x00000257BB200000-0x00000257BB220000-memory.dmp

memory/3176-446-0x00000257BB610000-0x00000257BB630000-memory.dmp

memory/964-457-0x0000000003F90000-0x0000000003F91000-memory.dmp

memory/4924-464-0x000002A859F60000-0x000002A859F80000-memory.dmp

memory/4924-468-0x000002A85A330000-0x000002A85A350000-memory.dmp

memory/4924-466-0x000002A859F20000-0x000002A859F40000-memory.dmp