xtremerat | 05a056d68c535ba189cd722056f770a41300c599aec210020454d0b3c6d182d0

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Size

120KB
MD5

6588a7a9e3a093ad3aca1ef4e6a98f57
SHA1

cc92af2646e35b171ce9afc935bf17a3d97884e9
SHA256

05a056d68c535ba189cd722056f770a41300c599aec210020454d0b3c6d182d0
SHA512

c23358f2cb261b7ea2b0c7dbf086297aa3777d5ea7ed2b11b2bad815ae4a34548d710a2ece01b894a5e54178bbf81dab73bcb788d3dead1bf9cf43d01cc9548e
SSDEEP

768:k4Se+TO+LxSnUpzbVzjJeXPqKRZafehKNseSCl/m:kjVTZxSEVXMqsZa2wMsm

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

schalfer.no-ip.org

뒊礻谀翿翿翿翿schalfer.no-ip.org

cb840schalfer.no-ip.org

豼schalfer.no-ip.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2864-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2864-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2576-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2864-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Yzcadd.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VG603MCB-4I4C-8BU1-6H18-NR781Q230DN5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe restart"	Yzcadd.exe

Executes dropped EXE 64 IoCs

pid	Process
2584	Yzcadd.exe
2080	Yzcadd.exe
2556	Yzcadd.exe
2064	Yzcadd.exe
2640	Yzcadd.exe
1632	Yzcadd.exe
2372	Yzcadd.exe
1812	Yzcadd.exe
1760	Yzcadd.exe
2432	Yzcadd.exe
1784	Yzcadd.exe
1676	Yzcadd.exe
608	Yzcadd.exe
2296	Yzcadd.exe
284	Yzcadd.exe
1144	Yzcadd.exe
2852	Yzcadd.exe
1440	Yzcadd.exe
1920	Yzcadd.exe
3028	Yzcadd.exe
2928	Yzcadd.exe
2020	Yzcadd.exe
1496	Yzcadd.exe
1696	Yzcadd.exe
1288	Yzcadd.exe
1712	Yzcadd.exe
1832	Yzcadd.exe
2476	Yzcadd.exe
2412	Yzcadd.exe
268	Yzcadd.exe
2648	Yzcadd.exe
2536	Yzcadd.exe
2056	Yzcadd.exe
1300	Yzcadd.exe
2220	Yzcadd.exe
2448	Yzcadd.exe
2104	Yzcadd.exe
2004	Yzcadd.exe
1816	Yzcadd.exe
2728	Yzcadd.exe
1148	Yzcadd.exe
1864	Yzcadd.exe
1288	Yzcadd.exe
1832	Yzcadd.exe
920	Yzcadd.exe
2384	Yzcadd.exe
448	Yzcadd.exe
2084	Yzcadd.exe
1052	Yzcadd.exe
2484	Yzcadd.exe
2124	Yzcadd.exe
1756	Yzcadd.exe
2384	Yzcadd.exe
2124	Yzcadd.exe
2484	Yzcadd.exe
1624	Yzcadd.exe
1052	Yzcadd.exe
2312	Yzcadd.exe
1484	Yzcadd.exe
2632	Yzcadd.exe
3168	Yzcadd.exe
3232	Yzcadd.exe
3364	Yzcadd.exe
3432	Yzcadd.exe

Loads dropped DLL 29 IoCs

pid	Process
2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y5ediescad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y5edecad = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Ysedecaddx = "C:\\Users\\Admin\\AppData\\Roaming\\Ydata\\Yzcadd.exe"	Yzcadd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2584 set thread context of 2080	2584	Yzcadd.exe	41
PID 2064 set thread context of 2640	2064	Yzcadd.exe	52
PID 2556 set thread context of 1632	2556	Yzcadd.exe	53
PID 2372 set thread context of 1760	2372	Yzcadd.exe	64
PID 1812 set thread context of 2432	1812	Yzcadd.exe	66
PID 1784 set thread context of 608	1784	Yzcadd.exe	83
PID 1676 set thread context of 284	1676	Yzcadd.exe	87
PID 2296 set thread context of 1144	2296	Yzcadd.exe	89
PID 2852 set thread context of 1440	2852	Yzcadd.exe	98
PID 1920 set thread context of 3028	1920	Yzcadd.exe	104
PID 2928 set thread context of 2020	2928	Yzcadd.exe	112
PID 1496 set thread context of 1696	1496	Yzcadd.exe	120
PID 1288 set thread context of 1832	1288	Yzcadd.exe	132
PID 1712 set thread context of 2476	1712	Yzcadd.exe	135
PID 2412 set thread context of 268	2412	Yzcadd.exe	143
PID 2648 set thread context of 2536	2648	Yzcadd.exe	153
PID 2056 set thread context of 1300	2056	Yzcadd.exe	159
PID 2220 set thread context of 2448	2220	Yzcadd.exe	171
PID 2104 set thread context of 1816	2104	Yzcadd.exe	182
PID 2004 set thread context of 2728	2004	Yzcadd.exe	185
PID 1148 set thread context of 1864	1148	Yzcadd.exe	194
PID 1288 set thread context of 1832	1288	Yzcadd.exe	208
PID 920 set thread context of 448	920	Yzcadd.exe	221
PID 2384 set thread context of 1052	2384	Yzcadd.exe	226
PID 2084 set thread context of 2484	2084	Yzcadd.exe	230
PID 2124 set thread context of 1756	2124	Yzcadd.exe	240
PID 2384 set thread context of 2484	2384	Yzcadd.exe	256
PID 2124 set thread context of 1624	2124	Yzcadd.exe	259
PID 1052 set thread context of 2312	1052	Yzcadd.exe	267
PID 1484 set thread context of 2632	1484	Yzcadd.exe	276
PID 3168 set thread context of 3232	3168	Yzcadd.exe	283
PID 3364 set thread context of 3432	3364	Yzcadd.exe	295
PID 3532 set thread context of 3636	3532	Yzcadd.exe	306
PID 3592 set thread context of 3736	3592	Yzcadd.exe	309
PID 3828 set thread context of 3892	3828	Yzcadd.exe	315
PID 4072 set thread context of 3152	4072	Yzcadd.exe	335
PID 3100 set thread context of 2660	3100	Yzcadd.exe	339
PID 3252 set thread context of 3572	3252	Yzcadd.exe	344
PID 2500 set thread context of 3728	2500	Yzcadd.exe	350
PID 3848 set thread context of 3376	3848	Yzcadd.exe	374
PID 3276 set thread context of 3620	3276	Yzcadd.exe	381
PID 3364 set thread context of 4028	3364	Yzcadd.exe	384
PID 3772 set thread context of 2528	3772	Yzcadd.exe	389
PID 3800 set thread context of 580	3800	Yzcadd.exe	411
PID 3160 set thread context of 3484	3160	Yzcadd.exe	418
PID 3728 set thread context of 3848	3728	Yzcadd.exe	422
PID 3620 set thread context of 3160	3620	Yzcadd.exe	425
PID 4168 set thread context of 4280	4168	Yzcadd.exe	449
PID 4216 set thread context of 4396	4216	Yzcadd.exe	452
PID 4444 set thread context of 4532	4444	Yzcadd.exe	458
PID 4700 set thread context of 4812	4700	Yzcadd.exe	478
PID 4756 set thread context of 4944	4756	Yzcadd.exe	482
PID 4896 set thread context of 5096	4896	Yzcadd.exe	487
PID 5060 set thread context of 4168	5060	Yzcadd.exe	491
PID 4364 set thread context of 4252	4364	Yzcadd.exe	507
PID 4764 set thread context of 4824	4764	Yzcadd.exe	514
PID 4928 set thread context of 4784	4928	Yzcadd.exe	523
PID 4976 set thread context of 4436	4976	Yzcadd.exe	537
PID 4304 set thread context of 5096	4304	Yzcadd.exe	539
PID 4760 set thread context of 4316	4760	Yzcadd.exe	557
PID 4532 set thread context of 4240	4532	Yzcadd.exe	560
PID 3636 set thread context of 5004	3636	Yzcadd.exe	563
PID 5096 set thread context of 5064	5096	Yzcadd.exe	579

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2864-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-12-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2576-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2864-33-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yzcadd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Token: SeShutdownPrivilege	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Token: SeShutdownPrivilege	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
Token: SeShutdownPrivilege	2584	Yzcadd.exe
Token: SeShutdownPrivilege	2584	Yzcadd.exe
Token: SeShutdownPrivilege	2584	Yzcadd.exe
Token: SeShutdownPrivilege	2064	Yzcadd.exe
Token: SeShutdownPrivilege	2064	Yzcadd.exe
Token: SeShutdownPrivilege	2064	Yzcadd.exe
Token: SeShutdownPrivilege	2556	Yzcadd.exe
Token: SeShutdownPrivilege	2556	Yzcadd.exe
Token: SeShutdownPrivilege	2556	Yzcadd.exe
Token: SeShutdownPrivilege	2372	Yzcadd.exe
Token: SeShutdownPrivilege	2372	Yzcadd.exe
Token: SeShutdownPrivilege	2372	Yzcadd.exe
Token: SeShutdownPrivilege	1812	Yzcadd.exe
Token: SeShutdownPrivilege	1812	Yzcadd.exe
Token: SeShutdownPrivilege	1812	Yzcadd.exe
Token: SeShutdownPrivilege	1784	Yzcadd.exe
Token: SeShutdownPrivilege	1784	Yzcadd.exe
Token: SeShutdownPrivilege	1784	Yzcadd.exe
Token: SeShutdownPrivilege	1676	Yzcadd.exe
Token: SeShutdownPrivilege	1676	Yzcadd.exe
Token: SeShutdownPrivilege	1676	Yzcadd.exe
Token: SeShutdownPrivilege	2296	Yzcadd.exe
Token: SeShutdownPrivilege	2296	Yzcadd.exe
Token: SeShutdownPrivilege	2296	Yzcadd.exe
Token: SeShutdownPrivilege	2852	Yzcadd.exe
Token: SeShutdownPrivilege	2852	Yzcadd.exe
Token: SeShutdownPrivilege	2852	Yzcadd.exe
Token: SeShutdownPrivilege	1920	Yzcadd.exe
Token: SeShutdownPrivilege	1920	Yzcadd.exe
Token: SeShutdownPrivilege	1920	Yzcadd.exe
Token: SeShutdownPrivilege	2928	Yzcadd.exe
Token: SeShutdownPrivilege	2928	Yzcadd.exe
Token: SeShutdownPrivilege	2928	Yzcadd.exe
Token: SeShutdownPrivilege	1496	Yzcadd.exe
Token: SeShutdownPrivilege	1496	Yzcadd.exe
Token: SeShutdownPrivilege	1496	Yzcadd.exe
Token: SeShutdownPrivilege	1288	Yzcadd.exe
Token: SeShutdownPrivilege	1288	Yzcadd.exe
Token: SeShutdownPrivilege	1288	Yzcadd.exe
Token: SeShutdownPrivilege	1712	Yzcadd.exe
Token: SeShutdownPrivilege	1712	Yzcadd.exe
Token: SeShutdownPrivilege	1712	Yzcadd.exe
Token: SeShutdownPrivilege	2412	Yzcadd.exe
Token: SeShutdownPrivilege	2412	Yzcadd.exe
Token: SeShutdownPrivilege	2412	Yzcadd.exe
Token: SeShutdownPrivilege	2648	Yzcadd.exe
Token: SeShutdownPrivilege	2648	Yzcadd.exe
Token: SeShutdownPrivilege	2648	Yzcadd.exe
Token: SeShutdownPrivilege	2056	Yzcadd.exe
Token: SeShutdownPrivilege	2056	Yzcadd.exe
Token: SeShutdownPrivilege	2056	Yzcadd.exe
Token: SeShutdownPrivilege	2220	Yzcadd.exe
Token: SeShutdownPrivilege	2220	Yzcadd.exe
Token: SeShutdownPrivilege	2220	Yzcadd.exe
Token: SeShutdownPrivilege	2104	Yzcadd.exe
Token: SeShutdownPrivilege	2104	Yzcadd.exe
Token: SeShutdownPrivilege	2104	Yzcadd.exe
Token: SeShutdownPrivilege	2004	Yzcadd.exe
Token: SeShutdownPrivilege	2004	Yzcadd.exe
Token: SeShutdownPrivilege	2004	Yzcadd.exe
Token: SeShutdownPrivilege	1148	Yzcadd.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
2584	Yzcadd.exe
2556	Yzcadd.exe
2064	Yzcadd.exe
2372	Yzcadd.exe
1812	Yzcadd.exe
1784	Yzcadd.exe
1676	Yzcadd.exe
2296	Yzcadd.exe
2852	Yzcadd.exe
1920	Yzcadd.exe
2928	Yzcadd.exe
1496	Yzcadd.exe
1288	Yzcadd.exe
1712	Yzcadd.exe
2412	Yzcadd.exe
2648	Yzcadd.exe
2056	Yzcadd.exe
2220	Yzcadd.exe
2104	Yzcadd.exe
2004	Yzcadd.exe
1148	Yzcadd.exe
1288	Yzcadd.exe
920	Yzcadd.exe
2384	Yzcadd.exe
2084	Yzcadd.exe
2124	Yzcadd.exe
2384	Yzcadd.exe
2124	Yzcadd.exe
1052	Yzcadd.exe
1484	Yzcadd.exe
3168	Yzcadd.exe
3364	Yzcadd.exe
3532	Yzcadd.exe
3592	Yzcadd.exe
3828	Yzcadd.exe
4072	Yzcadd.exe
3100	Yzcadd.exe
3252	Yzcadd.exe
2500	Yzcadd.exe
3848	Yzcadd.exe
3276	Yzcadd.exe
3364	Yzcadd.exe
3772	Yzcadd.exe
3800	Yzcadd.exe
3160	Yzcadd.exe
3728	Yzcadd.exe
3620	Yzcadd.exe
4168	Yzcadd.exe
4216	Yzcadd.exe
4444	Yzcadd.exe
4700	Yzcadd.exe
4756	Yzcadd.exe
4896	Yzcadd.exe
5060	Yzcadd.exe
4364	Yzcadd.exe
4764	Yzcadd.exe
4928	Yzcadd.exe
4976	Yzcadd.exe
4304	Yzcadd.exe
4760	Yzcadd.exe
4532	Yzcadd.exe
3636	Yzcadd.exe
5096	Yzcadd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2664 wrote to memory of 2864	2664	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	30
PID 2864 wrote to memory of 2576	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	31
PID 2864 wrote to memory of 2576	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	31
PID 2864 wrote to memory of 2576	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	31
PID 2864 wrote to memory of 2576	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	31
PID 2864 wrote to memory of 2576	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	31
PID 2864 wrote to memory of 3000	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	32
PID 2864 wrote to memory of 3000	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	32
PID 2864 wrote to memory of 3000	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	32
PID 2864 wrote to memory of 3000	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	32
PID 2864 wrote to memory of 3000	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	32
PID 2864 wrote to memory of 2604	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	33
PID 2864 wrote to memory of 2604	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	33
PID 2864 wrote to memory of 2604	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	33
PID 2864 wrote to memory of 2604	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	33
PID 2864 wrote to memory of 2604	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	33
PID 2864 wrote to memory of 2756	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	34
PID 2864 wrote to memory of 2756	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	34
PID 2864 wrote to memory of 2756	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	34
PID 2864 wrote to memory of 2756	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	34
PID 2864 wrote to memory of 2756	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	34
PID 2864 wrote to memory of 1804	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	35
PID 2864 wrote to memory of 1804	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	35
PID 2864 wrote to memory of 1804	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	35
PID 2864 wrote to memory of 1804	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	35
PID 2864 wrote to memory of 1804	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	35
PID 2864 wrote to memory of 2708	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	36
PID 2864 wrote to memory of 2708	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	36
PID 2864 wrote to memory of 2708	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	36
PID 2864 wrote to memory of 2708	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	36
PID 2864 wrote to memory of 2708	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	36
PID 2864 wrote to memory of 2816	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	37
PID 2864 wrote to memory of 2816	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	37
PID 2864 wrote to memory of 2816	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	37
PID 2864 wrote to memory of 2816	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	37
PID 2864 wrote to memory of 2816	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	37
PID 2864 wrote to memory of 1980	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	38
PID 2864 wrote to memory of 1980	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	38
PID 2864 wrote to memory of 1980	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	38
PID 2864 wrote to memory of 1980	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	38
PID 2864 wrote to memory of 1980	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	38
PID 2864 wrote to memory of 2624	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	39
PID 2864 wrote to memory of 2624	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	39
PID 2864 wrote to memory of 2624	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	39
PID 2864 wrote to memory of 2624	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	39
PID 2864 wrote to memory of 2584	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	40
PID 2864 wrote to memory of 2584	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	40
PID 2864 wrote to memory of 2584	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	40
PID 2864 wrote to memory of 2584	2864	JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe	40
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41
PID 2584 wrote to memory of 2080	2584	Yzcadd.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6588a7a9e3a093ad3aca1ef4e6a98f57.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2576
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2556
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Executes dropped EXE
        
        PID:1632
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2372
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2540
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:888
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1784
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3008
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2852
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2100
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2508
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        17⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3580
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1288
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1984
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2068
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2812
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2104
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2408
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:920
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Modifies WinLogon for persistence
        
        PID:3728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3132
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2384
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2096
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1484
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:2632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3556
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3260
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3532
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2316
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3100
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4256
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4072
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4244
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3848
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4076
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4320
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3800
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3168
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4184
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4468
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4168
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5040
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4700
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        
        PID:4812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5024
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4364
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        
        PID:4252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4308
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        15⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        17⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        19⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5668
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4976
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5056
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3364
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4760
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        14⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        15⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        17⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        18⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        19⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6000
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5096
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5144
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5592
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3540
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5288
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:5740
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6108
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5704
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:5496
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:6040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5376
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:5524
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5436
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:6036
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1412
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      PID:5812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1804
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1980
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2624
- - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
    "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
      "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:2080
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:864
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1432
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2548
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3024
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1776
    - - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2064
      - C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        6⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        10⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        12⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        14⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        16⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        18⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe
        
        "C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:1832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZQD7D4W9IU.cfg

Filesize
1KB

MD5
c90c8e319a38965108ddd4a80b0886bf

SHA1
90d600e62ad1dedad2716ac92fd7b0c04a134637

SHA256
0d607597e85beab7ae22871eec1c624082aac4f51f3f4eee5916415205012453

SHA512
321a414cff8cc6ca3043b1214f42b7fc3b4d7112737af13faf923a01472faa2a711c0e6acd7d8a7ee14208cc6e8b6cf7e496e3fb7e48759508a0667518f6bd94

Download Submit
C:\Users\Admin\AppData\Roaming\Ydata\Yzcadd.exe

Filesize
120KB

MD5
6588a7a9e3a093ad3aca1ef4e6a98f57

SHA1
cc92af2646e35b171ce9afc935bf17a3d97884e9

SHA256
05a056d68c535ba189cd722056f770a41300c599aec210020454d0b3c6d182d0

SHA512
c23358f2cb261b7ea2b0c7dbf086297aa3777d5ea7ed2b11b2bad815ae4a34548d710a2ece01b894a5e54178bbf81dab73bcb788d3dead1bf9cf43d01cc9548e

Download Submit
memory/2576-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-12-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-18-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2864-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-15-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads