xtremerat | 4a3132a3f4d12ffcea6cb6994ff26ea8090baf07a93598a056b7b26e1e9456db

Analysis

max time kernel
49s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e2b1668336a7974e3fecbbd0a41d53f.exe
Size

171KB
MD5

4e2b1668336a7974e3fecbbd0a41d53f
SHA1

686e9190da94c91c2f72bbd274d4a0e41d7bfeef
SHA256

4a3132a3f4d12ffcea6cb6994ff26ea8090baf07a93598a056b7b26e1e9456db
SHA512

7c42e7bf65c0c9485c2cb43d65a1035c4b5f761e766e360dceb02915b06bf81c951166c984d7e6d9f7060f3f9bb43298ec4f16cdc7675768dda61a760bd3bd57
SSDEEP

3072:YxexkMNY+4n8iVMMSq3Gso2APwDQTvZMQlrX8Zv:o6k/+4nNv8vIDQqS41

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral1/memory/2380-10-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2380-11-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2712-17-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2380-21-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2872-35-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2872-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1628-79-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2628-107-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2472-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1564-142-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2472-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2032-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2448-162-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2920-174-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1584-190-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1564-193-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2448-203-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2272-216-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1584-225-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1348-246-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1664-269-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1660-288-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1968-292-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1568-305-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1036-308-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1348-312-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1812-335-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1664-341-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1828-364-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2928-365-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1660-372-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1568-386-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-402-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2152-405-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/800-406-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1828-421-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2928-423-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3624-472-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2160-475-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-483-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3136-503-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1740-515-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3228-518-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3352-520-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3440-533-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3408-534-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3668-548-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3624-560-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-573-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3900-579-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3800-578-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/240-587-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/1740-601-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3804-624-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3408-629-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2740-641-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3668-643-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2220-669-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3964-675-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/240-697-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3780-711-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3976-723-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/3804-725-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral1/memory/2740-730-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	4e2b1668336a7974e3fecbbd0a41d53f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\system32\\installwin\\winini.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe

Executes dropped EXE 64 IoCs

pid	Process
2428	winini.exe
2872	winini.exe
2984	winini.exe
1736	winini.exe
1628	winini.exe
2628	winini.exe
1348	winini.exe
944	winini.exe
2032	winini.exe
2472	winini.exe
1048	winini.exe
2920	winini.exe
1600	winini.exe
1564	winini.exe
852	winini.exe
972	winini.exe
2448	winini.exe
2272	winini.exe
2204	winini.exe
1584	winini.exe
240	winini.exe
1740	winini.exe
2884	winini.exe
1968	winini.exe
2168	winini.exe
1028	winini.exe
1036	winini.exe
1348	winini.exe
1812	winini.exe
1664	winini.exe
2972	winini.exe
1660	winini.exe
2160	winini.exe
1568	winini.exe
1612	winini.exe
336	winini.exe
2152	winini.exe
800	winini.exe
2524	winini.exe
1876	winini.exe
1828	winini.exe
2928	winini.exe
1780	winini.exe
1964	iexplore.exe
2160	winini.exe
2532	winini.exe
2220	winini.exe
3080	winini.exe
3112	winini.exe
3136	winini.exe
3220	winini.exe
3264	winini.exe
3228	winini.exe
3352	winini.exe
3440	winini.exe
3592	winini.exe
3624	winini.exe
3756	winini.exe
3840	winini.exe
3800	winini.exe
3900	winini.exe
4088	winini.exe
1740	winini.exe
3252	iexplore.exe

Loads dropped DLL 20 IoCs

pid	Process
2380	4e2b1668336a7974e3fecbbd0a41d53f.exe
2380	4e2b1668336a7974e3fecbbd0a41d53f.exe
2872	winini.exe
2872	winini.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-3-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-4-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-7-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-9-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-10-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-11-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2712-17-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2380-21-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2872-35-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2872-45-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1628-79-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2628-107-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2472-108-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1564-142-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2472-143-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2032-148-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2448-162-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2920-174-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1584-190-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1564-193-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2448-203-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2272-216-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1584-225-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1348-246-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1664-269-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1660-288-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1968-292-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1568-305-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1036-308-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1348-312-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1812-335-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1664-341-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1828-364-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2928-365-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1660-372-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1568-386-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-402-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2152-405-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/800-406-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1828-421-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2928-423-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3624-472-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2160-475-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-483-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3136-503-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1740-515-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3228-518-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3352-520-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3440-533-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3408-534-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3668-548-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3624-560-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-573-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3900-579-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3800-578-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/240-587-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/1740-601-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3804-624-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3408-629-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2740-641-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3668-643-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/2220-669-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/3964-675-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral1/memory/240-697-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	4e2b1668336a7974e3fecbbd0a41d53f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	4e2b1668336a7974e3fecbbd0a41d53f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	4e2b1668336a7974e3fecbbd0a41d53f.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	iexplore.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	4e2b1668336a7974e3fecbbd0a41d53f.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe

Suspicious use of SetThreadContext 36 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2428 set thread context of 2872	2428	winini.exe	39
PID 2984 set thread context of 1628	2984	winini.exe	49
PID 1736 set thread context of 2628	1736	winini.exe	52
PID 1348 set thread context of 2032	1348	winini.exe	69
PID 944 set thread context of 2472	944	winini.exe	70
PID 1048 set thread context of 2920	1048	winini.exe	75
PID 1600 set thread context of 1564	1600	winini.exe	97
PID 852 set thread context of 2448	852	winini.exe	102
PID 972 set thread context of 2272	972	winini.exe	104
PID 2204 set thread context of 1584	2204	winini.exe	108
PID 240 set thread context of 1968	240	winini.exe	142
PID 2884 set thread context of 1036	2884	winini.exe	146
PID 2168 set thread context of 1348	2168	winini.exe	148
PID 1740 set thread context of 1812	1740	winini.exe	144
PID 1028 set thread context of 1664	1028	winini.exe	154
PID 2972 set thread context of 1660	2972	winini.exe	180
PID 2160 set thread context of 1568	2160	winini.exe	187
PID 1612 set thread context of 2152	1612	winini.exe	197
PID 336 set thread context of 800	336	winini.exe	199
PID 2524 set thread context of 1828	2524	winini.exe	209
PID 1876 set thread context of 2928	1876	winini.exe	208
PID 1964 set thread context of 2160	1964	iexplore.exe	238
PID 2532 set thread context of 2220	2532	winini.exe	245
PID 3080 set thread context of 3136	3080	winini.exe	260
PID 3112 set thread context of 3228	3112	winini.exe	265
PID 3264 set thread context of 3352	3264	winini.exe	271
PID 3220 set thread context of 3440	3220	winini.exe	275
PID 3592 set thread context of 3624	3592	winini.exe	287
PID 3756 set thread context of 3800	3756	winini.exe	299
PID 3840 set thread context of 3900	3840	winini.exe	305
PID 4088 set thread context of 1740	4088	winini.exe	321
PID 3252 set thread context of 3408	3252	iexplore.exe	406
PID 2560 set thread context of 3668	2560	winini.exe	486
PID 3460 set thread context of 2220	3460	winini.exe	351
PID 2548 set thread context of 3964	2548	winini.exe	354

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2276	4e2b1668336a7974e3fecbbd0a41d53f.exe
2428	winini.exe
2984	winini.exe
1736	winini.exe
1348	winini.exe
944	winini.exe
1048	winini.exe
1600	winini.exe
852	winini.exe
972	winini.exe
2204	winini.exe
240	winini.exe
1740	winini.exe
2884	winini.exe
2168	winini.exe
1028	winini.exe
2972	winini.exe
2160	winini.exe
1612	winini.exe
336	winini.exe
2524	winini.exe
1876	winini.exe
1780	winini.exe
1964	iexplore.exe
2532	winini.exe
3080	winini.exe
3112	winini.exe
3264	winini.exe
3220	winini.exe
3592	winini.exe
3756	winini.exe
3840	winini.exe
4088	winini.exe
3252	iexplore.exe
2560	winini.exe
3460	winini.exe
2548	winini.exe
3844	winini.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2276 wrote to memory of 2380	2276	4e2b1668336a7974e3fecbbd0a41d53f.exe	28
PID 2380 wrote to memory of 2712	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	29
PID 2380 wrote to memory of 2712	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	29
PID 2380 wrote to memory of 2712	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	29
PID 2380 wrote to memory of 2712	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	29
PID 2380 wrote to memory of 2712	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	29
PID 2380 wrote to memory of 2812	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	30
PID 2380 wrote to memory of 2812	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	30
PID 2380 wrote to memory of 2812	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	30
PID 2380 wrote to memory of 2812	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	30
PID 2380 wrote to memory of 2812	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	30
PID 2380 wrote to memory of 2720	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	31
PID 2380 wrote to memory of 2720	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	31
PID 2380 wrote to memory of 2720	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	31
PID 2380 wrote to memory of 2720	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	31
PID 2380 wrote to memory of 2720	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	31
PID 2380 wrote to memory of 2824	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	32
PID 2380 wrote to memory of 2824	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	32
PID 2380 wrote to memory of 2824	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	32
PID 2380 wrote to memory of 2824	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	32
PID 2380 wrote to memory of 2824	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	32
PID 2380 wrote to memory of 2904	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	33
PID 2380 wrote to memory of 2904	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	33
PID 2380 wrote to memory of 2904	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	33
PID 2380 wrote to memory of 2904	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	33
PID 2380 wrote to memory of 2904	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	33
PID 2380 wrote to memory of 2568	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	34
PID 2380 wrote to memory of 2568	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	34
PID 2380 wrote to memory of 2568	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	34
PID 2380 wrote to memory of 2568	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	34
PID 2380 wrote to memory of 2568	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	34
PID 2380 wrote to memory of 2444	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	35
PID 2380 wrote to memory of 2444	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	35
PID 2380 wrote to memory of 2444	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	35
PID 2380 wrote to memory of 2444	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	35
PID 2380 wrote to memory of 2444	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	35
PID 2380 wrote to memory of 2784	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	36
PID 2380 wrote to memory of 2784	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	36
PID 2380 wrote to memory of 2784	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	36
PID 2380 wrote to memory of 2784	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	36
PID 2380 wrote to memory of 2784	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	36
PID 2380 wrote to memory of 2808	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	37
PID 2380 wrote to memory of 2808	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	37
PID 2380 wrote to memory of 2808	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	37
PID 2380 wrote to memory of 2808	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	37
PID 2380 wrote to memory of 2428	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	38
PID 2380 wrote to memory of 2428	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	38
PID 2380 wrote to memory of 2428	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	38
PID 2380 wrote to memory of 2428	2380	4e2b1668336a7974e3fecbbd0a41d53f.exe	38
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39
PID 2428 wrote to memory of 2872	2428	winini.exe	39

C:\Users\Admin\AppData\Local\Temp\4e2b1668336a7974e3fecbbd0a41d53f.exe
"C:\Users\Admin\AppData\Local\Temp\4e2b1668336a7974e3fecbbd0a41d53f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\4e2b1668336a7974e3fecbbd0a41d53f.exe
  2⤵
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2712
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1736
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2012
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3264
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        17⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:1048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        18⤵
        
        PID:324
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        19⤵
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        20⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        21⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        22⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:944
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1620
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        
        PID:2204
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1600
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1676
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2228
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:240
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3840
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        17⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        18⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1740
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3220
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        
        PID:4500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:924
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        
        PID:4128
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2972
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1112
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3756
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        
        PID:3448
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:1780
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3108
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4604
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        
        PID:4340
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3592
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2868
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        
        PID:4828
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2548
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4344
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        
        PID:4496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        8⤵
        
        PID:4424
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:2204
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:4132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3876
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:3336
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:4476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4780
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        7⤵
        
        PID:4208
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:3968
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:1168
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:5056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4948
      - C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        6⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\installwin\winini.exe
        
        5⤵
        
        PID:4016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4636
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:4364
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\installwin\winini.exe
      "C:\Windows\system32\installwin\winini.exe"
      4⤵
      PID:1712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2720
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2568
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2444
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\installwin\winini.exe
    "C:\Windows\system32\installwin\winini.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\installwin\winini.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      PID:2872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2564
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2576
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3028
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2140
    - - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2984
      - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        14⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        16⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        17⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        18⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        19⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        20⤵
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        21⤵
        
        PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\b5aQyA.cfg

Filesize
1KB

MD5
9b5c1860e1f8e16a93fed1328792f8f0

SHA1
fa1b62433d039316a0aaeccd85b6a67ecac460aa

SHA256
914b7207e17f1ef7f13f34eddeb7b20d5c84be93947ee0d8472b1265ed6e77fe

SHA512
1dbf0a26e0881614f1abaa3b11a3252460cf59d97db5c41adbf7f5ccda57a56b3824cd993b8f63046fbeb6a8a82fb7c571fc6ed4754d955093f30775e40f8b78

Download Submit
C:\Windows\SysWOW64\installwin\winini.exe

Filesize
171KB

MD5
4e2b1668336a7974e3fecbbd0a41d53f

SHA1
686e9190da94c91c2f72bbd274d4a0e41d7bfeef

SHA256
4a3132a3f4d12ffcea6cb6994ff26ea8090baf07a93598a056b7b26e1e9456db

SHA512
7c42e7bf65c0c9485c2cb43d65a1035c4b5f761e766e360dceb02915b06bf81c951166c984d7e6d9f7060f3f9bb43298ec4f16cdc7675768dda61a760bd3bd57

Download Submit
memory/240-697-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/240-587-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/800-406-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1036-308-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1348-312-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1348-246-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1564-193-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1564-142-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1568-386-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1568-305-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1584-225-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1584-190-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1628-79-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1660-288-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1660-372-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1664-341-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1664-269-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1740-601-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1740-515-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1812-335-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1828-421-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1828-364-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1968-292-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2032-148-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2152-405-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2160-475-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-483-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-669-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-573-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2220-402-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2272-216-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-10-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-9-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-21-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-3-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-11-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2380-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2448-162-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2448-203-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2472-108-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2472-143-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2628-107-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2712-17-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2740-641-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2740-730-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2872-35-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2872-45-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2920-174-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2928-423-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2928-365-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3136-503-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3228-518-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3352-520-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3408-629-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3408-534-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3440-533-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3624-560-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3624-472-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3668-548-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3668-643-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3780-711-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3800-578-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3804-624-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3804-725-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3900-579-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3964-675-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3976-723-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4132-734-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4208-737-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads