ramnit | 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

Analysis

max time kernel
1801s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-06-2022 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Size

107KB
MD5

0a7135dfdb1bd11de9ce5b3f18fc24af
SHA1

7b3afbbc6d639ec0419be1ce9f7d27e3978db290
SHA256

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78
SHA512

dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Score

10^/10

ramnit banker evasion spyware stealer suricata trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe:*:enabled:@shell32.dll,-1"	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
suricata

Executes dropped EXE 5 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exeDesktopLayer.exelqfxqc.exelqfxqcSrv.exeDesktopLayer.exe

pid	process
876	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
2496	DesktopLayer.exe
5112	lqfxqc.exe
5116	lqfxqcSrv.exe
4656	DesktopLayer.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/828-130-0x0000000000400000-0x0000000000427000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe	upx
behavioral2/memory/876-133-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/2496-139-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2496-141-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Windows\lqfxqc.exe	upx
C:\Windows\lqfxqc.exe	upx
behavioral2/memory/5112-144-0x0000000000400000-0x0000000000427000-memory.dmp	upx
C:\Windows\lqfxqcSrv.exe	upx
C:\Windows\lqfxqcSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/828-158-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/5112-166-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	ioc	process
File opened (read-only)	\??\H:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\I:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\J:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\L:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\R:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\S:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\U:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\F:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\M:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\P:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\Q:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\T:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\Y:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\G:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\N:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\O:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\V:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\W:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\X:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\K:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\Z:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened (read-only)	\??\E:	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Drops file in System32 directory 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeiexplore.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\TransportSecurity	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\a99b12cc-1c12-4f1b-aa99-902c1a00a2a9.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000001.dbtmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\13fb748f-6564-49aa-841c-a92651c17525.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico~RFe56db03.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\temp-index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_2	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe571702.TMP	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Reporting and NEL	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase\LOCK	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\warnStateCache	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\bdd99682-e812-4f8f-a7b0-35657b15fa89.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\101fbbb6-3c63-4c65-90e7-fa0908a83e9b.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe56dd45.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe56e9c8.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Last Browser	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase\LOCK	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_0	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0b977760-2d23-49c9-a550-62391d2e21a3.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\73b72886-a8bc-4d2e-9fe9-845a9e7f63e6.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\bc7d46cc-1a42-43f2-92b5-a5e140087842.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\cache	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokens\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata	msedge.exe

Drops file in Program Files directory 7 IoCs

Processes:

setup.exe0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exelqfxqcSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220629025613.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxABA6.tmp	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB3F3.tmp	lqfxqcSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	lqfxqcSrv.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\104a4cff-b53f-49f6-8e0e-08a10c6fe5e0.tmp	setup.exe

Drops file in Windows directory 3 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exelqfxqc.exe

description	ioc	process
File created	C:\Windows\lqfxqc.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File opened for modification	C:\Windows\lqfxqc.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
File created	C:\Windows\lqfxqcSrv.exe	lqfxqc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1476 828 WerFault.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

pid	pid_target	process	target process
1476	828	WerFault.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lqfxqc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	lqfxqc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lqfxqc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30968675"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3581267958"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363236333"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3563455659"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3563455659"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FFB40662-F756-11EC-A58B-6A1EA45F0745} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30968675"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30968675"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEmsedge.exesetup.exemsedge.exeie_to_edge_stub.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid_enableddate = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188006E5B3E009 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000383aebe50534e24f8db2780467edf25f00000000020000000000106600000001000020000000d8dedc556ebb42ce586680cc1895bbec79c5abecf55f378fb8b3d2ab74325910000000000e8000000002000020000000c43964c97a8e16b97c6960275541e00aed75ace6321e60d3e37e141edc5a2a028000000034c390dc8ddf6947e09b9395ae8afb1246184c642547917faf5cbc7730d4549a862c111c63a9c1372e8b6afa5ac3e74597a1c1ae5e543947483f0c4e1f8820056fd5c4c4b93fdf8bcafb994795a02a63965d0c27289bb6a251593a87e8a2395e0d138ae60c723e31d9391fc192df82cde2a61cf9b9a3301f2b3493a27f1e1bc8400000006abc33872846ebe0e91e53aae594cc6d65c47c6476b3e3b6677edbde47ab3a8b76f84804c5695c436f79de4805402c6f91bb9f67c7c144fd21856765b921f65f	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{C89E2069-AF13-46DB-9E39-216131494B87}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000383aebe50534e24f8db2780467edf25f0000000002000000000010660000000100002000000097bd53e3c3dbada53c6824d10f942575d00e7eb80c0742e6ad965b65503c7798000000000e80000000020000200000009065859f98d9de32380d76544dc8b2c4e2cdc917e88c848fdb634b8caee73dbed0030000604b72c018bb933447b410201d3400e5939d79cb84b995f283ea0ed7a9374078fa0e58f85f1df36634337031e651ff0e85dd9ca4d0f65ce30619a4e60764950f4c8ae3f24495f12e0e610046ceff57279d5ed4c30835b7b4d0a57fd1795ed67a91e9709cbaeabcb146dfec30d3dc5376f0a60387e425eebdde64ba3183755ff59714233b5e5645472589d17ab56dc28eefd38ccd78817d1e71e0abe7e8fa58fb1ff68f9a683d43af2eb9d7a556dce074fe8a18a4d56058dd5bd464595ad71d488d9a2d4aa51969e1353da4f07cac133f3f823e74aec0495341dcde053af3b0130404fa9c91c8cc1f7ecf84a0fbdd717c56973a3060307604c154db6d1ce4af7a9c147c5483d16216351bc39d797ba18a8e172851d33a3c58db8bf2f00bc4da9f19975386072ba665ef4fd7db4c38f6a75593b2a4c54cc0c8fc502a4f783e5cd4391d91a86126196d36f7e25e0242863a0f3cab41996279d8e65930282a84497dffc53043455b1955a63ebe96dfb1e9bc386dca2f686087d5ae878fc343eb61fbef0ccbee72a5116f654811934b8053a6a46da1a568281872f3f999a9eacbfe51a19527ffbcf26c5a61491598e88a58c69b9651654a18c8252f386ad75937d7ccdd7cdddd57a30ad694af73dc9783e2974645cf5a99e7ca5b760f7a07c7fc0a4bda391d82e0bbab518cd1ad62ea5483931c35d2789f7875745f40181ea1c1b16768c0d44cbcce083365b0ea085f6eb46be61b4dfe00239377bce33417224d9ee28e709036511c126e0bc282eda807c0b69e32cbb14d4e7cd8c9312619da91342d48c73247b462ac15b31798d2b15a5e6e71ca1cca75c8c40ae0b6ccfff0cafe57f309898a416c1e0e56b65bb37681b29efbbedfeacd589fcc3fa23eae618e9f815e7f92e6c85d2bc7212576fbd65f377e26ff5cbaabb5d9089bdcbbe2bd97800e1b5951b6a89386244c29670a45816dde9e7f02483262e6b9e3c06e731b57b79fe3e52de19ef8e7fff6e7bcc65a89ec2e311d6f2cc51f9e326386ef0ced16f4607c7122f2b67ed90433b12c58560a96259c4a666c4ac8ca47539bc0b8328c236e0f4afd01b544b7d798ebb37d8c46ecc846ec955b477682ec44442b9866cc1669825a615b668a7e3b36bda8e576119db29cdd79d2d3e1fdc140483f02191c0bd77962f5a90f97575ad76c21c46127cb78e4957de8078c7366fb579d52d75a4bfeb2766ded53782ed5a6869633ac35356a569f237a6f3c663db8c95deac38477966995fbae30be63b950d58e51d1a89136b2606fef0f6ed53fd3b644ddc0bafc6f55e3821c3238160c14235a9fe1d47e068290d15b3a1c735689b45dd537fb4c153d70c7c0ea7ca359250e59af4aed34b1400000007e1251cc1c2cf4e881ebffd52939c10fcda634792adf6f3e1ab9f63c49a8b3aa6d201bededbd8f7bb9a41f6a6c3a78e2993204dc467db6d1f1dc975693b61323	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv_microsoft-edge-holographic = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{C89E2069-AF13-46DB-9E39-216131494B87}\DeviceId = "00188006E5B3E009"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs_.svg = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\lastrun = "13300944968509764"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\homepage_is_newtabpage = "166BAB61A59F1E811EF24E8C2FDAFB38A60122C459F04AC55DA256201EB70D09"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ncbjelpjchkpbikbpkcchkhkblodoama = "A9ECEA58B98C34FC80C9314C07F32C86E3471AB295A8FD54822463827E14EE5B"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\IEMigration	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e607060003001d000200380001009001	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid_installdate = "1656471365"	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\default_search_provider_data.template_url_data = "47BB9169B3AD3F70FA58A02BA1CB9A070A85E2F4FEB56CBFF2AAF99BE559013E"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm = "0"	setup.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exeDesktopLayer.exelqfxqc.exeDesktopLayer.exemsedge.exemsedge.exe

pid	process
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
2496	DesktopLayer.exe
5112	lqfxqc.exe
5112	lqfxqc.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
4656	DesktopLayer.exe
5088	msedge.exe
5088	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4944 iexplore.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

pid	process
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4312 msedge.exe
4312 msedge.exe
4312 msedge.exe
4312 msedge.exe
4312 msedge.exe
4312 msedge.exe
4312 msedge.exe

pid	process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exelqfxqc.exe

description	pid	process
Token: SeDebugPrivilege	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeDebugPrivilege	5112	lqfxqc.exe
Token: SeTakeOwnershipPrivilege	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeRestorePrivilege	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeBackupPrivilege	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Token: SeChangeNotifyPrivilege	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

iexplore.exeiexplore.exe

pid	process
4744	iexplore.exe
4944	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4944	iexplore.exe
4944	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
3364	IEXPLORE.EXE
3364	IEXPLORE.EXE
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe

description	pid	process	target process
PID 828 wrote to memory of 876	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 828 wrote to memory of 876	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 828 wrote to memory of 876	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 620	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	winlogon.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 680	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	lsass.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 780	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 776	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	fontdrvhost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 792	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 892	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 952	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 312	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	dwm.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 492	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 424	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe
PID 828 wrote to memory of 908	828	0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:312

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
2⤵
PID:3152

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1388

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4532

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3644

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
"C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe"
2⤵
- Modifies firewall policy service
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:876

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4944 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1728
3⤵
- Program crash
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2748

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2164

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:1740

C:\Windows\lqfxqc.exe
C:\Windows\lqfxqc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\lqfxqcSrv.exe
C:\Windows\lqfxqcSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5116

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17410 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1004c
6⤵
- Modifies data under HKEY_USERS
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1004c
7⤵
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffafd8546f8,0x7ffafd854708,0x7ffafd854718
8⤵
- Drops file in System32 directory
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
8⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
8⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
8⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
8⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
8⤵
- Modifies data under HKEY_USERS
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
8⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
8⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
8⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
8⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
8⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
8⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff688c85460,0x7ff688c85470,0x7ff688c85480
9⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 828 -ip 828
1⤵
PID:5016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
40af3714dea3388dbc179e213401e19b

SHA1
3024f09831d61fdd64cf956fdda422fb6bd29fdb

SHA256
0c6e821241510b374c4750c2c000afb101d32de85db571bff3f4b6561573f122

SHA512
96ddf35355e6889d0311e9e441641adcbfcceb681be929c4ab73f6ebdb525ad0ac4e30d2b4053de43fa1d06675608dfb6e4eba56dce021503252f532638ac9ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
783bd23667c12ca390d644ca34a5e934

SHA1
a832adb9a9b6ca9d580668c9454fcb5b19866e42

SHA256
b2a2dd937608b48ae634089a68989b739e32dbeb7d5948c645a971b6896f7663

SHA512
adc3d2be3d3838a6e9b89e68c7e2acdb08b8705539de10b217287dab0f48f8403f5cdb8f63375f52770a0d7d09ad6a4e85194e1f1aeb869038dc2baa4ddfa609

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\lqfxqc.exe
Filesize
107KB

MD5
0a7135dfdb1bd11de9ce5b3f18fc24af

SHA1
7b3afbbc6d639ec0419be1ce9f7d27e3978db290

SHA256
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

SHA512
dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Download Submit
C:\Windows\lqfxqc.exe
Filesize
107KB

MD5
0a7135dfdb1bd11de9ce5b3f18fc24af

SHA1
7b3afbbc6d639ec0419be1ce9f7d27e3978db290

SHA256
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78

SHA512
dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d

Download Submit
C:\Windows\lqfxqcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\lqfxqcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
1KB

MD5
8fdde47c610627e262383c8c346a3789

SHA1
a833aff1b01cb5a8414361e8f4d171817f6b0791

SHA256
024a58c6c6f03e606b3802919b94fce4a579d9b3ed456f1f3e99bf576183cc00

SHA512
1a61dd148227ba37054e25c124b7c886f216c2754d3d815a6e9e013148368b1e896f90cdd98296956df999edc2efa00a61fc5773e2710275505d89222a05ff32

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
434B

MD5
201925867fcb7cb05ab310bf4d4d34d9

SHA1
ead9fe29ff88537e370e00ce6208a5afd343ea59

SHA256
a463c792bd888d9945c5396a1f401e577fa093754a8643e4bee840aaebfbebad

SHA512
bd6eb7103f575b276edfadedcba09aab17859c811d5fcdb5fe15d1663357c8f10aaf74100549ca2b647560c066bf0d59dd95b1b113ca2375206c35767837d3ba

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
41829e9f14e5fc09bb9d75564e33ad08

SHA1
d52246177e22bcfb2175acf1cd074eabd7da1974

SHA256
43ff3ba3232eca07cc62b2f08776ffa5a8c922df7f2151705f56b477b7de17b6

SHA512
8934c7cf7cc87fd8eb827e60c8f4252e44b184c76d0a5e93f432109708c38c21054bbbaf34ff16cef7a4cbd9af4cc06767a6138c7a81261e5cf79b4cff116ddc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4312_VZYZEJRWSSFHCQPT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/672-178-0x0000000000000000-mapping.dmp

Download
memory/828-152-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/828-159-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/828-158-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/828-130-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/876-133-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/876-134-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/876-131-0x0000000000000000-mapping.dmp

Download
memory/1096-168-0x0000000000000000-mapping.dmp

Download
memory/1344-184-0x0000000000000000-mapping.dmp

Download
memory/2224-155-0x0000000000000000-mapping.dmp

Download
memory/2320-172-0x0000000000000000-mapping.dmp

Download
memory/2496-136-0x0000000000000000-mapping.dmp

Download
memory/2496-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2496-140-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2496-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3212-180-0x0000000000000000-mapping.dmp

Download
memory/3400-183-0x0000000000000000-mapping.dmp

Download
memory/3592-170-0x0000000000000000-mapping.dmp

Download
memory/3620-165-0x0000000000000000-mapping.dmp

Download
memory/3888-153-0x0000000000000000-mapping.dmp

Download
memory/4080-161-0x0000000000000000-mapping.dmp

Download
memory/4312-154-0x0000000000000000-mapping.dmp

Download
memory/4656-148-0x0000000000000000-mapping.dmp

Download
memory/4708-176-0x0000000000000000-mapping.dmp

Download
memory/5024-174-0x0000000000000000-mapping.dmp

Download
memory/5088-162-0x0000000000000000-mapping.dmp

Download
memory/5112-166-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5112-144-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5116-145-0x0000000000000000-mapping.dmp

Download