Analysis
-
max time kernel
1801s -
max time network
1797s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
29-06-2022 00:55
Static task
static1
Behavioral task
behavioral1
Sample
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
Resource
win7-20220414-en
General
-
Target
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe
-
Size
107KB
-
MD5
0a7135dfdb1bd11de9ce5b3f18fc24af
-
SHA1
7b3afbbc6d639ec0419be1ce9f7d27e3978db290
-
SHA256
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78
-
SHA512
dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe:*:enabled:@shell32.dll,-1" 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
-
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
suricata: ET MALWARE [PTsecurity] Botnet Nitol.B Checkin
-
Executes dropped EXE 5 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exeDesktopLayer.exelqfxqc.exelqfxqcSrv.exeDesktopLayer.exepid process 876 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe 2496 DesktopLayer.exe 5112 lqfxqc.exe 5116 lqfxqcSrv.exe 4656 DesktopLayer.exe -
Processes:
resource yara_rule behavioral2/memory/828-130-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe upx behavioral2/memory/876-133-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/2496-139-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2496-141-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Windows\lqfxqc.exe upx C:\Windows\lqfxqc.exe upx behavioral2/memory/5112-144-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\Windows\lqfxqcSrv.exe upx C:\Windows\lqfxqcSrv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/828-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5112-166-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exedescription ioc process File opened (read-only) \??\H: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\I: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\J: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\L: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\R: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\S: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\U: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\F: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\M: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\P: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\Q: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\T: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\Y: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\G: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\N: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\O: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\V: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\W: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\X: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\K: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\Z: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened (read-only) \??\E: 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
Drops file in System32 directory 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeiexplore.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\TransportSecurity msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOCK msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\a99b12cc-1c12-4f1b-aa99-902c1a00a2a9.tmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000001.dbtmp msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1 msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\13fb748f-6564-49aa-841c-a92651c17525.tmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico~RFe56db03.TMP msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\temp-index msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOCK msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_2 msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 iexplore.exe File opened for modification C:\Windows\system32\config\systemprofile\Favorites iexplore.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe571702.TMP msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 iexplore.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOCK msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Reporting and NEL msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase\LOCK msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\warnStateCache msedge.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\bdd99682-e812-4f8f-a7b0-35657b15fa89.tmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0 msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\101fbbb6-3c63-4c65-90e7-fa0908a83e9b.tmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe56dd45.TMP msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe56e9c8.TMP msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Last Browser msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase\LOCK msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low iexplore.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_0 msedge.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0b977760-2d23-49c9-a550-62391d2e21a3.tmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[1].ico iexplore.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3 msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\73b72886-a8bc-4d2e-9fe9-845a9e7f63e6.tmp msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 iexplore.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\bc7d46cc-1a42-43f2-92b5-a5e140087842.tmp msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\cache msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico iexplore.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1 msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokens\LOCK msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp msedge.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log msedge.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata msedge.exe -
Drops file in Program Files directory 7 IoCs
Processes:
setup.exe0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exelqfxqcSrv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220629025613.pma setup.exe File opened for modification C:\Program Files (x86)\Microsoft\pxABA6.tmp 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB3F3.tmp lqfxqcSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe lqfxqcSrv.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\104a4cff-b53f-49f6-8e0e-08a10c6fe5e0.tmp setup.exe -
Drops file in Windows directory 3 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exelqfxqc.exedescription ioc process File created C:\Windows\lqfxqc.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File opened for modification C:\Windows\lqfxqc.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe File created C:\Windows\lqfxqcSrv.exe lqfxqc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 828 WerFault.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lqfxqc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lqfxqc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lqfxqc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30968675" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3581267958" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363236333" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3563455659" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3563455659" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FFB40662-F756-11EC-A58B-6A1EA45F0745} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30968675" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30968675" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEmsedge.exesetup.exemsedge.exeie_to_edge_stub.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid_enableddate = "0" msedge.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188006E5B3E009 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000383aebe50534e24f8db2780467edf25f00000000020000000000106600000001000020000000d8dedc556ebb42ce586680cc1895bbec79c5abecf55f378fb8b3d2ab74325910000000000e8000000002000020000000c43964c97a8e16b97c6960275541e00aed75ace6321e60d3e37e141edc5a2a028000000034c390dc8ddf6947e09b9395ae8afb1246184c642547917faf5cbc7730d4549a862c111c63a9c1372e8b6afa5ac3e74597a1c1ae5e543947483f0c4e1f8820056fd5c4c4b93fdf8bcafb994795a02a63965d0c27289bb6a251593a87e8a2395e0d138ae60c723e31d9391fc192df82cde2a61cf9b9a3301f2b3493a27f1e1bc8400000006abc33872846ebe0e91e53aae594cc6d65c47c6476b3e3b6677edbde47ab3a8b76f84804c5695c436f79de4805402c6f91bb9f67c7c144fd21856765b921f65f msedge.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{C89E2069-AF13-46DB-9E39-216131494B87}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000383aebe50534e24f8db2780467edf25f0000000002000000000010660000000100002000000097bd53e3c3dbada53c6824d10f942575d00e7eb80c0742e6ad965b65503c7798000000000e80000000020000200000009065859f98d9de32380d76544dc8b2c4e2cdc917e88c848fdb634b8caee73dbed0030000604b72c018bb933447b410201d3400e5939d79cb84b995f283ea0ed7a9374078fa0e58f85f1df36634337031e651ff0e85dd9ca4d0f65ce30619a4e60764950f4c8ae3f24495f12e0e610046ceff57279d5ed4c30835b7b4d0a57fd1795ed67a91e9709cbaeabcb146dfec30d3dc5376f0a60387e425eebdde64ba3183755ff59714233b5e5645472589d17ab56dc28eefd38ccd78817d1e71e0abe7e8fa58fb1ff68f9a683d43af2eb9d7a556dce074fe8a18a4d56058dd5bd464595ad71d488d9a2d4aa51969e1353da4f07cac133f3f823e74aec0495341dcde053af3b0130404fa9c91c8cc1f7ecf84a0fbdd717c56973a3060307604c154db6d1ce4af7a9c147c5483d16216351bc39d797ba18a8e172851d33a3c58db8bf2f00bc4da9f19975386072ba665ef4fd7db4c38f6a75593b2a4c54cc0c8fc502a4f783e5cd4391d91a86126196d36f7e25e0242863a0f3cab41996279d8e65930282a84497dffc53043455b1955a63ebe96dfb1e9bc386dca2f686087d5ae878fc343eb61fbef0ccbee72a5116f654811934b8053a6a46da1a568281872f3f999a9eacbfe51a19527ffbcf26c5a61491598e88a58c69b9651654a18c8252f386ad75937d7ccdd7cdddd57a30ad694af73dc9783e2974645cf5a99e7ca5b760f7a07c7fc0a4bda391d82e0bbab518cd1ad62ea5483931c35d2789f7875745f40181ea1c1b16768c0d44cbcce083365b0ea085f6eb46be61b4dfe00239377bce33417224d9ee28e709036511c126e0bc282eda807c0b69e32cbb14d4e7cd8c9312619da91342d48c73247b462ac15b31798d2b15a5e6e71ca1cca75c8c40ae0b6ccfff0cafe57f309898a416c1e0e56b65bb37681b29efbbedfeacd589fcc3fa23eae618e9f815e7f92e6c85d2bc7212576fbd65f377e26ff5cbaabb5d9089bdcbbe2bd97800e1b5951b6a89386244c29670a45816dde9e7f02483262e6b9e3c06e731b57b79fe3e52de19ef8e7fff6e7bcc65a89ec2e311d6f2cc51f9e326386ef0ced16f4607c7122f2b67ed90433b12c58560a96259c4a666c4ac8ca47539bc0b8328c236e0f4afd01b544b7d798ebb37d8c46ecc846ec955b477682ec44442b9866cc1669825a615b668a7e3b36bda8e576119db29cdd79d2d3e1fdc140483f02191c0bd77962f5a90f97575ad76c21c46127cb78e4957de8078c7366fb579d52d75a4bfeb2766ded53782ed5a6869633ac35356a569f237a6f3c663db8c95deac38477966995fbae30be63b950d58e51d1a89136b2606fef0f6ed53fd3b644ddc0bafc6f55e3821c3238160c14235a9fe1d47e068290d15b3a1c735689b45dd537fb4c153d70c7c0ea7ca359250e59af4aed34b1400000007e1251cc1c2cf4e881ebffd52939c10fcda634792adf6f3e1ab9f63c49a8b3aa6d201bededbd8f7bb9a41f6a6c3a78e2993204dc467db6d1f1dc975693b61323 msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webp setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs msedge.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv_microsoft-edge-holographic = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\F12 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{C89E2069-AF13-46DB-9E39-216131494B87}\DeviceId = "00188006E5B3E009" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs_.svg = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\lastrun = "13300944968509764" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "12" iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\homepage_is_newtabpage = "166BAB61A59F1E811EF24E8C2FDAFB38A60122C459F04AC55DA256201EB70D09" msedge.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ncbjelpjchkpbikbpkcchkhkblodoama = "A9ECEA58B98C34FC80C9314C07F32C86E3471AB295A8FD54822463827E14EE5B" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\IEMigration setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software msedge.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e607060003001d000200380001009001 iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ie_to_edge_stub.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid_installdate = "1656471365" msedge.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\default_search_provider_data.template_url_data = "47BB9169B3AD3F70FA58A02BA1CB9A070A85E2F4FEB56CBFF2AAF99BE559013E" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm = "0" setup.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exeDesktopLayer.exelqfxqc.exeDesktopLayer.exemsedge.exemsedge.exepid process 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 2496 DesktopLayer.exe 5112 lqfxqc.exe 5112 lqfxqc.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 4656 DesktopLayer.exe 5088 msedge.exe 5088 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4944 iexplore.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exepid process 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe 4312 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exelqfxqc.exedescription pid process Token: SeDebugPrivilege 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Token: SeDebugPrivilege 5112 lqfxqc.exe Token: SeTakeOwnershipPrivilege 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Token: SeRestorePrivilege 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Token: SeBackupPrivilege 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe Token: SeChangeNotifyPrivilege 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
iexplore.exeiexplore.exepid process 4744 iexplore.exe 4944 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 4944 iexplore.exe 4944 iexplore.exe 4744 iexplore.exe 4744 iexplore.exe 4588 IEXPLORE.EXE 4588 IEXPLORE.EXE 3364 IEXPLORE.EXE 3364 IEXPLORE.EXE 4588 IEXPLORE.EXE 4588 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exedescription pid process target process PID 828 wrote to memory of 876 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe PID 828 wrote to memory of 876 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe PID 828 wrote to memory of 876 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 620 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe winlogon.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 680 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe lsass.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 780 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 776 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe fontdrvhost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 792 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 892 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 952 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 312 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe dwm.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 492 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 424 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe PID 828 wrote to memory of 908 828 0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe"C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78.exe"2⤵
- Modifies firewall policy service
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exeC:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4944 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 17283⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding2⤵
-
C:\Windows\lqfxqc.exeC:\Windows\lqfxqc.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\lqfxqcSrv.exeC:\Windows\lqfxqcSrv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17410 /prefetch:25⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1004c6⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1004c7⤵
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffafd8546f8,0x7ffafd854708,0x7ffafd8547188⤵
- Drops file in System32 directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:38⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:18⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5341267692957231747,11189382163692822022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings8⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff688c85460,0x7ff688c85470,0x7ff688c854809⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 828 -ip 8281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD540af3714dea3388dbc179e213401e19b
SHA13024f09831d61fdd64cf956fdda422fb6bd29fdb
SHA2560c6e821241510b374c4750c2c000afb101d32de85db571bff3f4b6561573f122
SHA51296ddf35355e6889d0311e9e441641adcbfcceb681be929c4ab73f6ebdb525ad0ac4e30d2b4053de43fa1d06675608dfb6e4eba56dce021503252f532638ac9ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5783bd23667c12ca390d644ca34a5e934
SHA1a832adb9a9b6ca9d580668c9454fcb5b19866e42
SHA256b2a2dd937608b48ae634089a68989b739e32dbeb7d5948c645a971b6896f7663
SHA512adc3d2be3d3838a6e9b89e68c7e2acdb08b8705539de10b217287dab0f48f8403f5cdb8f63375f52770a0d7d09ad6a4e85194e1f1aeb869038dc2baa4ddfa609
-
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\0dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\lqfxqc.exeFilesize
107KB
MD50a7135dfdb1bd11de9ce5b3f18fc24af
SHA17b3afbbc6d639ec0419be1ce9f7d27e3978db290
SHA2560dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78
SHA512dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d
-
C:\Windows\lqfxqc.exeFilesize
107KB
MD50a7135dfdb1bd11de9ce5b3f18fc24af
SHA17b3afbbc6d639ec0419be1ce9f7d27e3978db290
SHA2560dee353f6f444308b83d9be0f0d1a49db6b9b35962c0afd5a785ef2cbc018d78
SHA512dd88227dd1cee7f28ec5a9c287f2ca28cc4f08b771618ab48b2cbe4f0cad579e45b58d73ab2243e4e45c54c57ec601ce9766ff43a10130dacc40228600b9f66d
-
C:\Windows\lqfxqcSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\lqfxqcSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63Filesize
1KB
MD58fdde47c610627e262383c8c346a3789
SHA1a833aff1b01cb5a8414361e8f4d171817f6b0791
SHA256024a58c6c6f03e606b3802919b94fce4a579d9b3ed456f1f3e99bf576183cc00
SHA5121a61dd148227ba37054e25c124b7c886f216c2754d3d815a6e9e013148368b1e896f90cdd98296956df999edc2efa00a61fc5773e2710275505d89222a05ff32
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63Filesize
434B
MD5201925867fcb7cb05ab310bf4d4d34d9
SHA1ead9fe29ff88537e370e00ce6208a5afd343ea59
SHA256a463c792bd888d9945c5396a1f401e577fa093754a8643e4bee840aaebfbebad
SHA512bd6eb7103f575b276edfadedcba09aab17859c811d5fcdb5fe15d1663357c8f10aaf74100549ca2b647560c066bf0d59dd95b1b113ca2375206c35767837d3ba
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD541829e9f14e5fc09bb9d75564e33ad08
SHA1d52246177e22bcfb2175acf1cd074eabd7da1974
SHA25643ff3ba3232eca07cc62b2f08776ffa5a8c922df7f2151705f56b477b7de17b6
SHA5128934c7cf7cc87fd8eb827e60c8f4252e44b184c76d0a5e93f432109708c38c21054bbbaf34ff16cef7a4cbd9af4cc06767a6138c7a81261e5cf79b4cff116ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4312_VZYZEJRWSSFHCQPTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/672-178-0x0000000000000000-mapping.dmp
-
memory/828-152-0x000000007FE30000-0x000000007FE3C000-memory.dmpFilesize
48KB
-
memory/828-159-0x000000007FE30000-0x000000007FE3C000-memory.dmpFilesize
48KB
-
memory/828-158-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/828-130-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/876-133-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/876-134-0x0000000000430000-0x000000000043F000-memory.dmpFilesize
60KB
-
memory/876-131-0x0000000000000000-mapping.dmp
-
memory/1096-168-0x0000000000000000-mapping.dmp
-
memory/1344-184-0x0000000000000000-mapping.dmp
-
memory/2224-155-0x0000000000000000-mapping.dmp
-
memory/2320-172-0x0000000000000000-mapping.dmp
-
memory/2496-136-0x0000000000000000-mapping.dmp
-
memory/2496-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2496-140-0x0000000000500000-0x000000000050F000-memory.dmpFilesize
60KB
-
memory/2496-141-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3212-180-0x0000000000000000-mapping.dmp
-
memory/3400-183-0x0000000000000000-mapping.dmp
-
memory/3592-170-0x0000000000000000-mapping.dmp
-
memory/3620-165-0x0000000000000000-mapping.dmp
-
memory/3888-153-0x0000000000000000-mapping.dmp
-
memory/4080-161-0x0000000000000000-mapping.dmp
-
memory/4312-154-0x0000000000000000-mapping.dmp
-
memory/4656-148-0x0000000000000000-mapping.dmp
-
memory/4708-176-0x0000000000000000-mapping.dmp
-
memory/5024-174-0x0000000000000000-mapping.dmp
-
memory/5088-162-0x0000000000000000-mapping.dmp
-
memory/5112-166-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/5112-144-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/5116-145-0x0000000000000000-mapping.dmp