ramnit | 22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe
Size

102KB
MD5

2494491f7f6287f30b46442eae071e4b
SHA1

ea34be368229a385f32c587d834e675012dfafeb
SHA256

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb
SHA512

a8fa365fab2e29358dfc578f7e1315165c93a18bd93662c226bde96412e1862a249d9e1abd39547266a41997628f5d22678dd39de0cb80509567741d7014d702
SSDEEP

1536:SwvWyX3kzGusSQ007k1sX/MiP1gOXqNgXmIZwZO8TkiNfyjYyW/WxD4:SwvWyX1insPZgOggXmIZwZOykO+YyhE

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe

Executes dropped EXE 64 IoCs

Processes:

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exewkkwkm.exewkkwkmSrv.exeDesktopLayer.exe

pid	process
2936	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
3960	wkkwkm.exe
4400	wkkwkmSrv.exe
2744	DesktopLayer.exe
5672	wkkwkm.exe
5696	wkkwkmSrv.exe
5736	DesktopLayer.exe
5928	wkkwkm.exe
5952	wkkwkmSrv.exe
5988	DesktopLayer.exe
5208	wkkwkm.exe
5312	wkkwkmSrv.exe
5364	DesktopLayer.exe
1220	wkkwkm.exe
4280	wkkwkmSrv.exe
5668	DesktopLayer.exe
5892	wkkwkm.exe
5684	wkkwkmSrv.exe
5976	DesktopLayer.exe
3664	wkkwkm.exe
5468	wkkwkmSrv.exe
5584	DesktopLayer.exe
5920	wkkwkm.exe
5956	wkkwkmSrv.exe
6000	DesktopLayer.exe
1420	wkkwkm.exe
4628	wkkwkmSrv.exe
5788	DesktopLayer.exe
5488	wkkwkm.exe
5208	wkkwkmSrv.exe
5368	DesktopLayer.exe
5312	wkkwkm.exe
1388	wkkwkmSrv.exe
5980	DesktopLayer.exe
5708	wkkwkm.exe
4892	wkkwkmSrv.exe
5728	DesktopLayer.exe
1388	wkkwkm.exe
5608	wkkwkmSrv.exe
5888	DesktopLayer.exe
3696	wkkwkm.exe
5284	wkkwkmSrv.exe
1496	DesktopLayer.exe
6172	wkkwkm.exe
6192	wkkwkmSrv.exe
6220	DesktopLayer.exe
6316	wkkwkm.exe
6336	wkkwkmSrv.exe
6368	DesktopLayer.exe
6536	wkkwkm.exe
6556	wkkwkmSrv.exe
6596	DesktopLayer.exe
6428	wkkwkm.exe
6400	wkkwkmSrv.exe
6512	DesktopLayer.exe
6624	wkkwkm.exe
6724	wkkwkmSrv.exe
6716	DesktopLayer.exe
6752	wkkwkm.exe
3420	wkkwkmSrv.exe
6948	DesktopLayer.exe
4688	wkkwkm.exe
3492	wkkwkmSrv.exe
7084	DesktopLayer.exe

Loads dropped DLL 64 IoCs

Processes:

wkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exe

pid	process
3960	wkkwkm.exe
5672	wkkwkm.exe
5928	wkkwkm.exe
5208	wkkwkm.exe
1220	wkkwkm.exe
5892	wkkwkm.exe
3664	wkkwkm.exe
5920	wkkwkm.exe
1420	wkkwkm.exe
5488	wkkwkm.exe
5312	wkkwkm.exe
5708	wkkwkm.exe
1388	wkkwkm.exe
3696	wkkwkm.exe
6172	wkkwkm.exe
6316	wkkwkm.exe
6536	wkkwkm.exe
6428	wkkwkm.exe
6624	wkkwkm.exe
6752	wkkwkm.exe
4688	wkkwkm.exe
3496	wkkwkm.exe
6176	wkkwkm.exe
4656	wkkwkm.exe
4976	wkkwkm.exe
4992	wkkwkm.exe
4236	wkkwkm.exe
6576	wkkwkm.exe
6896	wkkwkm.exe
6980	wkkwkm.exe
7112	wkkwkm.exe
6288	wkkwkm.exe
3604	wkkwkm.exe
3108	wkkwkm.exe
4920	wkkwkm.exe
6592	wkkwkm.exe
3280	wkkwkm.exe
6220	wkkwkm.exe
1992	wkkwkm.exe
5972	wkkwkm.exe
3068	wkkwkm.exe
5720	wkkwkm.exe
1824	wkkwkm.exe
4892	wkkwkm.exe
6868	wkkwkm.exe
6880	wkkwkm.exe
3604	wkkwkm.exe
4552	wkkwkm.exe
6532	wkkwkm.exe
6340	wkkwkm.exe
1992	wkkwkm.exe
5676	wkkwkm.exe
5864	wkkwkm.exe
5604	wkkwkm.exe
2752	wkkwkm.exe
6616	wkkwkm.exe
1264	wkkwkm.exe
4664	wkkwkm.exe
2592	wkkwkm.exe
7116	wkkwkm.exe
6292	wkkwkm.exe
6840	wkkwkm.exe
6140	wkkwkm.exe
5864	wkkwkm.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe	upx
behavioral2/memory/2936-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2936-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2744-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4400-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4400-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4400-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5696-242-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5696-247-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5468-355-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5788-406-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/6336-527-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/6368-530-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/6596-546-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/7160-791-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2308-838-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1992-959-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4664-975-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/6032-1134-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2260-1164-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/6464-1316-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

IEXPLORE.EXEwkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exeiexplore.exeiexplore.exemsedge.exeiexplore.exewkkwkm.exeiexplore.exewkkwkm.exewkkwkm.exewkkwkm.exeiexplore.exewkkwkm.exewkkwkm.exeiexplore.exewkkwkm.exemsedge.exeiexplore.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36F7C69B-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State~RFe577d2f.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09C08CE2-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-6650EF96-630.pma	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{03BC5EFC-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F82B35BD-1A06-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{257CA84F-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0b0749c3-419d-4e01-a954-928debff2240.tmp	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E8761628-1A06-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0F1B7591-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{257CA84B-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{36F7C6AF-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\CURRENT	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State~RFe577d5e.TMP	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State~RFe577d6d.TMP	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F82B35D7-1A06-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{151AE01B-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\optimization_guide_hint_cache_store\LOCK	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EE7E1778-1A06-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30F39739-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09C08CDC-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\7f0391f2-878d-4a89-bf67-56ee0352e306.tmp	msedge.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	wkkwkm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1A69DC3C-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1A69DC54-1A07-11EF-A084-7ACDD6433640}.dat	iexplore.exe

Drops file in Program Files directory 64 IoCs

Processes:

wkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exewkkwkmSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA0B0.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px57FA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\px949F.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF637.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px137E.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px75FB.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBC89.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3A26.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC1A5.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6538.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\pxC302.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5436.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4CED.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\px697E.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2611.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB6C8.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7277.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5CD1.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9824.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px674B.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\pxA642.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3350.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD145.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px853D.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4210.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8983.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px16EE.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7952.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB5F2.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8F4B.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD7DD.tmp	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	wkkwkmSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5395.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC796.tmp	wkkwkmSrv.exe

Drops file in Windows directory 64 IoCs

Processes:

wkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exe22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exewkkwkm.exe

description	ioc	process
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkm.exe	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe
File opened for modification	C:\Windows\wkkwkmSrv.exe	wkkwkm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3168863215"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8787848-1A06-11EF-A084-7ACDD6433640} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3168863215"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108627"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423345219"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3171832038"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exemsedge.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exesetup.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exemsedge.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exemsedge.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 10000000140000000d0000000200000010000000030000000b000000020000001000000013000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\settings_reset_prompt.last_triggered_for_default_search = "8984D3CD0846D091D330753E79F6010701600B3E9E0CF480C47630D1E0E45871"	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e8070500050018001300330006000d00	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 00000000030000000000000000000000060000000000000000000000040000000200000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e807050005001800130033002f00d800	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\MSEdgeHTM_.mhtml = "0"	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "23"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "58"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "93"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Count = "133"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e8070500050018001300350009008803
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 03000000020000000300000008000000030000000300000011000000020000000300000002000000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Count = "110"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "203"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Time = e807050005001800130033001c006f02	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge\IEToEdge	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "48"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\IEMigration	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 02000000020000000f00000003000000020000000e00000004000000020000000300000013000000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Count = "192"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "188"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 04000000030000000200000002000000160000001000000002000000030000000400000002000000
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\BLBeacon\version = "92.0.902.67"	msedge.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff580000005800000078030000b0020000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 03000000000000000000000003000000010000000000000003000000020000000100000004000000	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 01000000030000000000000007000000010000000500000001000000090000000100000007000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "130"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\DualEngineCacheContainerTracker\MEKC82HF = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXq0fevzme2pys62n3e0fbqa7peapykr8v_http = "0"	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "148"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "5"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wkkwkmSrv.exeDesktopLayer.exemsedge.exemsedge.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
4400	wkkwkmSrv.exe
4400	wkkwkmSrv.exe
4400	wkkwkmSrv.exe
4400	wkkwkmSrv.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
4400	wkkwkmSrv.exe
4400	wkkwkmSrv.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
4400	wkkwkmSrv.exe
4400	wkkwkmSrv.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
996	msedge.exe
996	msedge.exe
1584	msedge.exe
1584	msedge.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5736	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5988	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5364	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5668	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5976	DesktopLayer.exe
5584	DesktopLayer.exe
5584	DesktopLayer.exe
5584	DesktopLayer.exe
5584	DesktopLayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe
1584 msedge.exe

pid	process
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe
Token: SeIncBasePriorityPrivilege	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exeiexplore.exe

pid	process
4644	iexplore.exe
4644	iexplore.exe
3372	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe
4644	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4644	iexplore.exe
4644	iexplore.exe
3372	iexplore.exe
3372	iexplore.exe
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
4516	IEXPLORE.EXE
4516	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5812	IEXPLORE.EXE
5812	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
6064	IEXPLORE.EXE
6064	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5512	IEXPLORE.EXE
5512	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5812	IEXPLORE.EXE
5812	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
6028	IEXPLORE.EXE
6028	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
6064	IEXPLORE.EXE
6064	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5512	IEXPLORE.EXE
5512	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
6032	IEXPLORE.EXE
6032	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
6028	IEXPLORE.EXE
6028	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5592	IEXPLORE.EXE
5592	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe
3616	IEXPLORE.EXE
3616	IEXPLORE.EXE
4644	iexplore.exe
4644	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exewkkwkm.exe22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exewkkwkmSrv.exeDesktopLayer.exeiexplore.exeiexplore.exeIEXPLORE.EXEie_to_edge_stub.exemsedge.exe

description	pid	process	target process
PID 4016 wrote to memory of 2936	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
PID 4016 wrote to memory of 2936	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
PID 4016 wrote to memory of 2936	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
PID 3960 wrote to memory of 4400	3960	wkkwkm.exe	wkkwkmSrv.exe
PID 3960 wrote to memory of 4400	3960	wkkwkm.exe	wkkwkmSrv.exe
PID 3960 wrote to memory of 4400	3960	wkkwkm.exe	wkkwkmSrv.exe
PID 2936 wrote to memory of 2744	2936	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe	DesktopLayer.exe
PID 2936 wrote to memory of 2744	2936	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe	DesktopLayer.exe
PID 2936 wrote to memory of 2744	2936	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe	DesktopLayer.exe
PID 4400 wrote to memory of 4644	4400	wkkwkmSrv.exe	iexplore.exe
PID 4400 wrote to memory of 4644	4400	wkkwkmSrv.exe	iexplore.exe
PID 2744 wrote to memory of 3372	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 3372	2744	DesktopLayer.exe	iexplore.exe
PID 4644 wrote to memory of 4516	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 4516	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 4516	4644	iexplore.exe	IEXPLORE.EXE
PID 3372 wrote to memory of 2008	3372	iexplore.exe	IEXPLORE.EXE
PID 3372 wrote to memory of 2008	3372	iexplore.exe	IEXPLORE.EXE
PID 3372 wrote to memory of 2008	3372	iexplore.exe	IEXPLORE.EXE
PID 4016 wrote to memory of 4376	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4016 wrote to memory of 4376	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4016 wrote to memory of 4376	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4016 wrote to memory of 3688	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4016 wrote to memory of 3688	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4016 wrote to memory of 3688	4016	22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe	cmd.exe
PID 4516 wrote to memory of 3992	4516	IEXPLORE.EXE	ie_to_edge_stub.exe
PID 4516 wrote to memory of 3992	4516	IEXPLORE.EXE	ie_to_edge_stub.exe
PID 3992 wrote to memory of 1584	3992	ie_to_edge_stub.exe	msedge.exe
PID 3992 wrote to memory of 1584	3992	ie_to_edge_stub.exe	msedge.exe
PID 1584 wrote to memory of 1860	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1860	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe
PID 1584 wrote to memory of 1212	1584	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe
"C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3372 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\22FAD7~1.EXE > nul
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\22FAD7~1.EXE > nul
2⤵
PID:3688

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17410 /prefetch:2
4⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=3f002c
5⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=3f002c
6⤵
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1fc246f8,0x7fff1fc24708,0x7fff1fc24718
7⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
7⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:8
7⤵
- Modifies data under HKEY_USERS
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1
7⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
7⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
7⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
7⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
7⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
7⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
7⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,394048790475814357,10291280840166415971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
7⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
7⤵
- Modifies data under HKEY_USERS
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7e09b5460,0x7ff7e09b5470,0x7ff7e09b5480
8⤵
PID:5156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17414 /prefetch:2
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17418 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17422 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:5512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17428 /prefetch:2
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17434 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17440 /prefetch:2
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17446 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:5592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17452 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17458 /prefetch:2
4⤵
PID:6456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17466 /prefetch:2
4⤵
- Modifies data under HKEY_USERS
PID:6880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17474 /prefetch:2
4⤵
PID:6216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17482 /prefetch:2
4⤵
PID:4300

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17490 /prefetch:2
4⤵
PID:6412

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17498 /prefetch:2
4⤵
PID:6188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5672

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5696

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5776

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5928

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5952

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6024

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5208

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5312

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5452

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:4280

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5720

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5892

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5684

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies data under HKEY_USERS
PID:6016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3664

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5468

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2168

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5920

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5956

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5952

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:5788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5560

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5488

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:5208

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:5368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5908

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5312

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:1388

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:5980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5872

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5708

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:5728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5888

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5608

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:5888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3616

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3696

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5284

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:1496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies data under HKEY_USERS
PID:5364

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:6172

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:6192

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6248

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:6316

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:6336

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6396

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6536

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:6556

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6648

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6428

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:6400

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6348

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6624

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:6724

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4904

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6752

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
PID:3420

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:6948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6976

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4688

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3492

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
PID:7084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7112

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:3496

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4240

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6152

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6176

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6268

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1844

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4656

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3728

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4844

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:4976

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2104

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4636

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:4992

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:648

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4236

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3260

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5320

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6576

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6444

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6600

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6896

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6832

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6856

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6980

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7044

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7096

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:7112

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1232

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1564

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6288

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3332

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4388

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:3604

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2940

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:3108

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1884

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3476

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4920

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:2832

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17410 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:3944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17414 /prefetch:2
5⤵
PID:2616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17418 /prefetch:2
5⤵
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17422 /prefetch:2
5⤵
PID:6172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17428 /prefetch:2
5⤵
PID:6884

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17434 /prefetch:2
5⤵
PID:5684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17440 /prefetch:2
5⤵
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17446 /prefetch:2
5⤵
PID:3144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17452 /prefetch:2
5⤵
PID:6900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17458 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:4276

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17466 /prefetch:2
5⤵
PID:1856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17474 /prefetch:2
5⤵
PID:4956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17482 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:2832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17490 /prefetch:2
5⤵
PID:4640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6676 CREDAT:17498 /prefetch:2
5⤵
PID:6748

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6592

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6348

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6804

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:3280

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7092

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7116

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6220

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6300

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2932

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1992

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2080

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:5972

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6092

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5948

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:3068

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5880

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:5720

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1824

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:1804

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6004

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:4892

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2544

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6464

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:6868

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6880

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:2260

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6820

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3604

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2040

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:4552

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6528

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6320

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6532

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6816

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7116

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6340

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3984

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6292

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1992

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6156

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6256

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5676

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5972

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4708

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:5864

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6100

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5544

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:5604

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5288

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:2752

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5228

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6272

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6616

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6464

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4892

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:1264

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6556

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6704

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:4664

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:1212

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3272

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:2592

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:1384

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6348

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:7116

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3980

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6284

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6292

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6304

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6044

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6840

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1556

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
PID:6140

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5848

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4884

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5864

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5780

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5976

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6000

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5944

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6432

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2736

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2928

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies data under HKEY_USERS
PID:6828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 6676 -ip 6676
1⤵
PID:4016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4940

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6820

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 6676 -ip 6676
1⤵
PID:4828

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6732

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6392

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:344

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6396

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17410 /prefetch:2
5⤵
PID:5416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17414 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:6692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17418 /prefetch:2
5⤵
PID:3732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17422 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:5728

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17428 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:3332

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17434 /prefetch:2
5⤵
PID:5756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17440 /prefetch:2
5⤵
PID:4844

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17446 /prefetch:2
5⤵
PID:6612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17452 /prefetch:2
5⤵
PID:6760

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17458 /prefetch:2
5⤵
PID:3216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17466 /prefetch:2
5⤵
PID:6668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17474 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:5916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17482 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:5236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17490 /prefetch:2
5⤵
PID:5064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7040 CREDAT:17498 /prefetch:2
5⤵
PID:6336

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6060

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1564

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:556

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6064

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4148

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:996

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:5672

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3864

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:5960

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3508

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:1944

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6836

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5324

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6080

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6684

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6276

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6572

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6508

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7088

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3652

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6832

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:3880

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6296

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4500

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5588

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:432

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7052

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:912

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4808

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6680

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5736

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:5536

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5404

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6804

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6532

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2396

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3292

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4320

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6088

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6840

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5864

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:996

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6564

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3620

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5492

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6428

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6696

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6844

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6364

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1360

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:4004

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6516

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6676

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:1420

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6984

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7016

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6232

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7160

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4276

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3144

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2200

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6780

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:4640

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6528

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:7116

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6304

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:632

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3276

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2744

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:5904

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6520

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6464

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:1056

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7028

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3000

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3836

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1944

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6508

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:4868

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6624

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2380

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 7040 -ip 7040
1⤵
PID:432

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:7160

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2960

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3256

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3080

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3552

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17410 /prefetch:2
5⤵
PID:3480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17414 /prefetch:2
5⤵
PID:5500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17418 /prefetch:2
5⤵
PID:6000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17422 /prefetch:2
5⤵
PID:3000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17428 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:1784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17434 /prefetch:2
5⤵
PID:6012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17440 /prefetch:2
5⤵
PID:6672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17446 /prefetch:2
5⤵
PID:4296

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17452 /prefetch:2
5⤵
PID:1856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17458 /prefetch:2
5⤵
PID:6380

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17466 /prefetch:2
5⤵
PID:3424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17474 /prefetch:2
5⤵
PID:6660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17482 /prefetch:2
5⤵
PID:1116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17490 /prefetch:2
5⤵
PID:3544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6968 CREDAT:17498 /prefetch:2
5⤵
PID:5228

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2648

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6772

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2948

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5356

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4592

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6720

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3728

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1364

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4580

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6404

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3044

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:7152

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6952

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:6336

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:804

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6808

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2284

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3368

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5208

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5776

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:2444

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6964

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:4372

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6760

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2404

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3332

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3704

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6596

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:5544

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6864

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5584

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:372

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6188

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:1008

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1708

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6592

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:4304

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1048

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2748

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5092

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6316

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7088

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6276

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:1152

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5992

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6484

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6624

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3400

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5468

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6116

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5680

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6856

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5976

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2252

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6544

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5360

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3648

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3068

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7156

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:7068

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5336

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:4324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4832

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2232

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6264

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1148

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6772

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4200

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6464

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4824

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3900

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4572

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:5648

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4784

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:4664

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5416

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3368

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:964

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1372

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2284

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7136

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3692

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6280

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2668

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3216

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7148

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17410 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:2728

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17414 /prefetch:2
5⤵
PID:5100

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17418 /prefetch:2
5⤵
PID:5936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17422 /prefetch:2
5⤵
PID:2772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17428 /prefetch:2
5⤵
PID:5468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17434 /prefetch:2
5⤵
PID:4004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17440 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:2040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17446 /prefetch:2
5⤵
PID:1040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17452 /prefetch:2
5⤵
PID:6820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17458 /prefetch:2
5⤵
PID:652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17466 /prefetch:2
5⤵
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17474 /prefetch:2
5⤵
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17482 /prefetch:2
5⤵
PID:5484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17490 /prefetch:2
5⤵
PID:2668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6928 CREDAT:17498 /prefetch:2
5⤵
PID:6240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6928 -s 6424
5⤵
PID:4284

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5296

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1120

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5972

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6304

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:1796

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6020

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3524

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3900

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6952

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6552

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3596

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6900

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7004

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4092

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6504

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2436

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6764

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3644

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2948

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6380

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4660

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:7132

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:4332

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6140

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5288

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:4308

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6696

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6388

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3220

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5676

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:6208

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:548

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5224

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2228

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6836

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:7044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2236

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5628

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6096

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6060

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:2516

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3692

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5564

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:5336

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6064

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5352

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3616

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1392

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6296

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6288

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4432

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3432

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6484

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6812

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4284

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6828

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7008

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5516

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:2904

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3144

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6992

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3184

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6136

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6380

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3760

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:5328

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7020

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6956

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1736

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:812

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6320

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:836

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3480

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:228

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1844

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4800

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5868

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4372

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6252

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:7148

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3216

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5576

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5988

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6708

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5872

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6080

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3432

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5196

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6128

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1372

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6444

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3728

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17410 /prefetch:2
5⤵
PID:2972

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17414 /prefetch:2
5⤵
PID:2976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17418 /prefetch:2
5⤵
PID:6868

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17422 /prefetch:2
5⤵
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17428 /prefetch:2
5⤵
PID:5968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17434 /prefetch:2
5⤵
PID:2012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17440 /prefetch:2
5⤵
PID:6192

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17446 /prefetch:2
5⤵
PID:4468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17452 /prefetch:2
5⤵
PID:6956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17458 /prefetch:2
5⤵
PID:3872

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17466 /prefetch:2
5⤵
PID:5872

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17474 /prefetch:2
5⤵
PID:6748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17482 /prefetch:2
5⤵
PID:6692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17490 /prefetch:2
5⤵
PID:4552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5220 CREDAT:17498 /prefetch:2
5⤵
PID:4636

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4872

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1736

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4180

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4136

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6888

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4228

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:6776

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5388

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3692

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:5724

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5992

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4768

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6972

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:1876

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1732

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3452

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7008

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6928

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4324

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3316

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1268

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in System32 directory
PID:5524

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5788

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6832

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3584

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:912

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4604

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6584

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2844

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6796

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3276

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7112

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5924

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:436

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3984

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6056

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2752

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6208

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6168

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:944

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3424

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5868

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6232

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:1604

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6992

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4768

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6016

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4688

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5684

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:7056

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7008

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:5856

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6528

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1148

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5892

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3900

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3124

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4904

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4324

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6004

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6368

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5940

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:1144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5048

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4580

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5296

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4772

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5600

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6160

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5580

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5728

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6260

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6496

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5672

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6244

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:1008

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3760

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6936

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4300

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4712

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:4396

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4380

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5836

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2764

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3644

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6580

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6220

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5848

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5988

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:5492

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6744

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:916

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6804

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5396

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5080

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17410 /prefetch:2
5⤵
PID:4772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17414 /prefetch:2
5⤵
- Modifies data under HKEY_USERS
PID:6280

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17418 /prefetch:2
5⤵
PID:4660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17422 /prefetch:2
5⤵
PID:3424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17428 /prefetch:2
5⤵
PID:2764

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17434 /prefetch:2
5⤵
PID:1108

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17440 /prefetch:2
5⤵
PID:7140

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17446 /prefetch:2
5⤵
PID:5608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17452 /prefetch:2
5⤵
PID:6880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17458 /prefetch:2
5⤵
PID:5976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17466 /prefetch:2
5⤵
PID:616

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5064

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5408

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:968

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:5072

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3296

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:3996

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3692

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1712

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4300

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5772

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:7156

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5344

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6508

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5256

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:2376

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3776

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:3952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5104

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6236

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:744

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3144

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4988

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6524

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5268

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6572

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6716

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:4208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6376

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5928

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:2988

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1132

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5796

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6824

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5464

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4388

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6336

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5592

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:4072

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:6872

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:3324

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:6520

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:4704

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4004

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:2656

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3520

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1552

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:6404

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:6480

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6388

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:5792

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5820

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5072

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:5168

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:2064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6708

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
- Drops file in Windows directory
PID:3732

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
- Drops file in Program Files directory
PID:3880

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:6736

C:\Windows\wkkwkm.exe
C:\Windows\wkkwkm.exe
1⤵
PID:5996

C:\Windows\wkkwkmSrv.exe
C:\Windows\wkkwkmSrv.exe
2⤵
PID:6564

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
PID:5248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCX5F66.tmp
Filesize
111KB

MD5
595c07d480b779ce9f6db0080e294e9d

SHA1
e50c42d0a130594f1438aaa3a03a989e38a05049

SHA256
49000d1a7b50c8c951adf27d8d8e8897eae74dfb6eb58de563dec5c3602e2aa2

SHA512
04810b29c1d8a53eb96fd0f06874e1f442073a5075707a16f0d75a092d135ac0f6f0df5f2ba66492df6e5eea93b2b763364043cac382dcb5d2b81a27c5f93af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fbSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\hra33.dll
Filesize
8KB

MD5
3f9b5b8931b13dba1a3a2f3d6e8541b6

SHA1
47005386e9c6a913a16c2414a4e6034498efec0c

SHA256
effc70e657dc2f6ec78158ec0644be780ce99f5dd957564180b7781f20710c78

SHA512
7651eaaa575ac0d2e09ea110e6ea895416ee4051b38c4555d8dc8874a69e8f0eda255bd7368faa69b85af7893ef0f23a34074908af95723ae1fe4179f23bea83

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\81b3d968-908e-4132-828b-df255eac48a7.tmp
Filesize
10KB

MD5
522bda738bbb5d518ef1d01682c29c01

SHA1
4aa0a7d11edfb5ebf479a8be613105effde5d5ba

SHA256
f7c8ac17ef1c7bbfdcb37c6e49164d48ea7517f533bfe9000eaa63a02c953ecc

SHA512
1b358b2b5d971c393d6b960562d75ade7b2511a6269b7ef5e946b66b6a821ab1cd4650f3cb9ad827f81b53b7adf02abce0a300edaf7d2070671d6f94bcd54cb0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9707a68c3f80091d795bb907d79820da

SHA1
313c70bb297517a0829c0761707313ed0f2cb2cd

SHA256
e7b57e87ac5116146675f3c43c7bc38f628e39b895471e30cea1ed823f4bdd35

SHA512
7373576f35d6c3d74be546c525edb64bdbf180e4917367980cb772ae5a74b3d2697006d0fa8787481b692d04c92b1d56e568b9e4f70b921670644b0a8b4b47bf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\7f0391f2-878d-4a89-bf67-56ee0352e306.tmp
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
3KB

MD5
c1856d8d5e57329c7369de944941ce70

SHA1
bee38dd13864badce91d404ac2252847357f7097

SHA256
599d73cef3fec06378b71ad01a57e7e1ccb849fb536c4e07230dcb298b624cb6

SHA512
a3abd3a97402ac3e1befd6d98ca6bd4c586f6c1f74928e562d40c8c04cc59733803d7065513a9d2af8993f3ab1f34878161a39e3c0bc8e3f9d741bba03389427

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
15c9adb19558e22aaeba6cf9d97b3270

SHA1
07862fa18b9628517eac459f18cd953ea447f097

SHA256
8b52afccd194fe58b79af7e6fd9d3d0861326b6a36d24952adb938bbf32b8da1

SHA512
bf1bdefc44eb1ad13879475b77ee63293fd4561990d97b7e99e308497e5c4d3dce4dab97c416d04f855e7ea22392c1c9ece2debcd57d0536678ee2f3920e2a20

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
34f9517bfb6a00a55f872f09b9f44a04

SHA1
19aaf71f286a9e5a86134602d3e6d5cbf5bd12db

SHA256
c49daa4b0fc0260b48c8f32e356605b58d4b22408fb091bbaf46b5d3ec1e8229

SHA512
ac8001f76ba65a04dac0e41c8e3c8278a4e93b629ce4968d695b168ce730368b9d3d0fcbfa19c04f64b22796f347919e49643d9e156b6723c73197584a68b86f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5742f4.TMP
Filesize
3KB

MD5
b58e539c2da9bbb0429857b2b63014a5

SHA1
7319bf81df907865c3883ecb5f0d8ad306c9ba7c

SHA256
9e6bf86e78aad027ade346518e3ffe9e4de6194fea6409844b5e927da7190596

SHA512
ebd5b5248c2c4e3b8ddd9bfd3e8ef44561c6c744c6dd424fc7cbde856737ba9f46e15eafc9765801ae42e30f685390f61155461b02df1e123ca51d0309dfade0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
3fd84204df5f9a25f3adba35aea5daa8

SHA1
8fbdd07a358ed866da57920683d0d895efea9c9f

SHA256
e1570539131b88db9bf18e11069012f80162b213965405fc3c1743ed2f7550db

SHA512
d1cc23d798b5fde999bb295a25cc1e8c8643377221d32229b87955beb99bc7d5db136aaf7388ba62476f7590c2f6e38feadd420ea67feaefcf7759fd9f72d502

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe576b3d.TMP
Filesize
24KB

MD5
e551d52df02e4539a93e894e31c45efd

SHA1
4fed38ff17f8f479ad5e33bc748cb9b9c6593d97

SHA256
459b403281898334b640ab60f9f3b5f3bd91dd1df1a584da13a8a0296054bf4e

SHA512
34318deab165c9c61a8b4f7b46d5693e9a42f10a0fb7d4750b46ec047fca1ed3e3c7cf6eb2e0d5934c9f27b6dc681d4e7a7af966001d93bd994ecfcab5daf776

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\a0e43c24-e653-4b49-ae21-942ca0467687.tmp
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Kno5498.tmp
Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
99f9ce54acf51b7cdaa3c4bbd85ebedd

SHA1
c9787bf2c9775452f89265a9c1b8f05e85c6bdb1

SHA256
dbcca315eedf06d3e769cef07dd361e57366c43c17e5c34662595b4301eb3b54

SHA512
631d0a8686a7fe0ec989fc6364f24065738a4bef040f4974b7faad656a6cd36ffbd5c17db2d57587b867faed1057a96d0131d2936fbe7c939aa5cfb5f900116b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Windows\wkkwkm.exe
Filesize
102KB

MD5
2494491f7f6287f30b46442eae071e4b

SHA1
ea34be368229a385f32c587d834e675012dfafeb

SHA256
22fad79d01398f7fa7a82986c319d0964508da666117fadb59845b617a77a3fb

SHA512
a8fa365fab2e29358dfc578f7e1315165c93a18bd93662c226bde96412e1862a249d9e1abd39547266a41997628f5d22678dd39de0cb80509567741d7014d702

Download Submit
\??\pipe\LOCAL\crashpad_1584_VBEPHXNONAARESKM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1220-327-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1264-1345-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1264-1332-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1388-490-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-428-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-1115-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-1128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1992-959-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1992-1251-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1992-1059-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2260-1164-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2308-838-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-22-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2744-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2752-1313-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2936-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2936-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3068-1090-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-971-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3108-985-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3280-1030-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3496-800-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3604-1192-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3604-968-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3604-1179-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3664-375-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3664-352-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3696-506-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3696-493-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3960-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3960-49-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4016-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4016-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4236-877-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4400-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4400-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4400-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4400-16-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4552-1207-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4656-830-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4664-975-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4688-784-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4892-1144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4920-1000-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4976-833-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4976-847-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4992-862-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5208-305-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5312-444-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5312-459-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5364-294-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/5368-434-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/5468-355-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5488-443-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5584-362-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/5604-1298-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5604-1285-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5668-316-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/5672-261-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5676-1266-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5696-247-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5696-242-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5708-462-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5708-475-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5720-1112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5728-466-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/5736-250-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/5788-406-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5864-1282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5864-1269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5892-349-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5920-399-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5928-283-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5972-1062-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5972-1075-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5976-338-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5980-450-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/5988-272-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/6000-382-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/6032-1134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6172-521-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6176-815-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6220-1044-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6220-512-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/6288-952-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6316-539-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6316-524-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6336-527-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6340-1236-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6368-530-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6428-739-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6464-1316-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6512-730-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/6532-1222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6536-542-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6536-724-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6576-892-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6592-1015-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6596-547-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/6596-546-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6616-1329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6624-754-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6716-745-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/6752-769-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6868-1147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6868-1160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6880-1176-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6896-895-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6896-908-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6948-759-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/6980-923-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/7112-937-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/7160-791-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download