63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db86cfeb5da035d609c8a564793a3f9c.exe
Size

364KB
MD5

db86cfeb5da035d609c8a564793a3f9c
SHA1

0bc91c08af0cdf1de593725f65f043f96aa76a79
SHA256

63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208
SHA512

f30461288242189cde960cfbcd8365b60365e790ba37597f3bef1a79ef1ca8a6fed5bcd14cb376791c7586736538a661056509b459f9f0b6d14744cf2e520475
SSDEEP

3072:/y5byk7RQfSy0LFpOLUls/H7LDQaWmRvk/xprmE91TCibHq5jtVInX4SRrrJ:/yExO5pOgls/bLDtRsr1Tjq5QoSRx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedb86cfeb5da035d609c8a564793a3f9c.exewininet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	db86cfeb5da035d609c8a564793a3f9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe

Executes dropped EXE 64 IoCs

Processes:

pid	process
2772	wininet.exe
2540	wininet.exe
2552	wininet.exe
2572	wininet.exe
2512	wininet.exe
2524	wininet.exe
2424	wininet.exe
2984	wininet.exe
2076	wininet.exe
2736	wininet.exe
2732	wininet.exe
2320	wininet.exe
2876	wininet.exe
800	wininet.exe
2040	wininet.exe
804	wininet.exe
544	wininet.exe
1872	wininet.exe
1476	wininet.exe
296	wininet.exe
2948	wininet.exe
2924	wininet.exe
1708	wininet.exe
1972	wininet.exe
2816	wininet.exe
292	wininet.exe
900	wininet.exe
2308	wininet.exe
2120	wininet.exe
2936	wininet.exe
1656	wininet.exe
1952	wininet.exe
1812	wininet.exe
1936	wininet.exe
912	wininet.exe
1536	wininet.exe
1192	wininet.exe
2184	wininet.exe
2360	wininet.exe
2492	wininet.exe
2340	wininet.exe
1556	wininet.exe
2852	wininet.exe
2976	wininet.exe
2504	wininet.exe
2556	wininet.exe
2608	wininet.exe
2544	wininet.exe
2560	wininet.exe
1500	wininet.exe
2436	wininet.exe
2208	wininet.exe
2484	wininet.exe
2900	wininet.exe
2532	wininet.exe
2692	wininet.exe
2076	wininet.exe
2768	wininet.exe
2872	wininet.exe
2156	wininet.exe
1716	wininet.exe
1096	wininet.exe
1712	wininet.exe
1036	wininet.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
2848	db86cfeb5da035d609c8a564793a3f9c.exe
2848	db86cfeb5da035d609c8a564793a3f9c.exe
2772	wininet.exe
2540	wininet.exe
2540	wininet.exe
2572	wininet.exe
2572	wininet.exe
2524	wininet.exe
2524	wininet.exe
2984	wininet.exe
2984	wininet.exe
2736	wininet.exe
2736	wininet.exe
2320	wininet.exe
2320	wininet.exe
800	wininet.exe
800	wininet.exe
804	wininet.exe
804	wininet.exe
1872	wininet.exe
1872	wininet.exe
296	wininet.exe
296	wininet.exe
2924	wininet.exe
2924	wininet.exe
1972	wininet.exe
1972	wininet.exe
292	wininet.exe
292	wininet.exe
2308	wininet.exe
2308	wininet.exe
2936	wininet.exe
2936	wininet.exe
1952	wininet.exe
1952	wininet.exe
1936	wininet.exe
1936	wininet.exe
1536	wininet.exe
1536	wininet.exe
2184	wininet.exe
2184	wininet.exe
2492	wininet.exe
2492	wininet.exe
1556	wininet.exe
1556	wininet.exe
2976	wininet.exe
2976	wininet.exe
2556	wininet.exe
2556	wininet.exe
2544	wininet.exe
2544	wininet.exe
1500	wininet.exe
1500	wininet.exe
2208	wininet.exe
2208	wininet.exe
2900	wininet.exe
2900	wininet.exe
2692	wininet.exe
2692	wininet.exe
2768	wininet.exe
2768	wininet.exe
2156	wininet.exe
2156	wininet.exe
1096	wininet.exe

Drops file in System32 directory 64 IoCs

Processes:

wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedb86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	db86cfeb5da035d609c8a564793a3f9c.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

db86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	pid	process	target process
PID 2836 set thread context of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2772 set thread context of 2540	2772	wininet.exe	wininet.exe
PID 2552 set thread context of 2572	2552	wininet.exe	wininet.exe
PID 2512 set thread context of 2524	2512	wininet.exe	wininet.exe
PID 2424 set thread context of 2984	2424	wininet.exe	wininet.exe
PID 2076 set thread context of 2736	2076	wininet.exe	wininet.exe
PID 2732 set thread context of 2320	2732	wininet.exe	wininet.exe
PID 2876 set thread context of 800	2876	wininet.exe	wininet.exe
PID 2040 set thread context of 804	2040	wininet.exe	wininet.exe
PID 544 set thread context of 1872	544	wininet.exe	wininet.exe
PID 1476 set thread context of 296	1476	wininet.exe	wininet.exe
PID 2948 set thread context of 2924	2948	wininet.exe	wininet.exe
PID 1708 set thread context of 1972	1708	wininet.exe	wininet.exe
PID 2816 set thread context of 292	2816	wininet.exe	wininet.exe
PID 900 set thread context of 2308	900	wininet.exe	wininet.exe
PID 2120 set thread context of 2936	2120	wininet.exe	wininet.exe
PID 1656 set thread context of 1952	1656	wininet.exe	wininet.exe
PID 1812 set thread context of 1936	1812	wininet.exe	wininet.exe
PID 912 set thread context of 1536	912	wininet.exe	wininet.exe
PID 1192 set thread context of 2184	1192	wininet.exe	wininet.exe
PID 2360 set thread context of 2492	2360	wininet.exe	wininet.exe
PID 2340 set thread context of 1556	2340	wininet.exe	wininet.exe
PID 2852 set thread context of 2976	2852	wininet.exe	wininet.exe
PID 2504 set thread context of 2556	2504	wininet.exe	wininet.exe
PID 2608 set thread context of 2544	2608	wininet.exe	wininet.exe
PID 2560 set thread context of 1500	2560	wininet.exe	wininet.exe
PID 2436 set thread context of 2208	2436	wininet.exe	wininet.exe
PID 2484 set thread context of 2900	2484	wininet.exe	wininet.exe
PID 2532 set thread context of 2692	2532	wininet.exe	wininet.exe
PID 2076 set thread context of 2768	2076	wininet.exe	wininet.exe
PID 2872 set thread context of 2156	2872	wininet.exe	wininet.exe
PID 1716 set thread context of 1096	1716	wininet.exe	wininet.exe
PID 1712 set thread context of 1036	1712	wininet.exe	wininet.exe
PID 1752 set thread context of 540	1752	wininet.exe	wininet.exe
PID 556 set thread context of 2472	556	wininet.exe	wininet.exe
PID 592 set thread context of 660	592	wininet.exe	wininet.exe
PID 1476 set thread context of 2452	1476	wininet.exe	wininet.exe
PID 3036 set thread context of 1928	3036	wininet.exe	wininet.exe
PID 1708 set thread context of 2808	1708	wininet.exe	wininet.exe
PID 2928 set thread context of 452	2928	wininet.exe	wininet.exe
PID 3064 set thread context of 2312	3064	wininet.exe	wininet.exe
PID 1400 set thread context of 1288	1400	wininet.exe	wininet.exe
PID 1920 set thread context of 2804	1920	wininet.exe	wininet.exe
PID 1152 set thread context of 948	1152	wininet.exe	wininet.exe
PID 1260 set thread context of 1532	1260	wininet.exe	wininet.exe
PID 1176 set thread context of 1144	1176	wininet.exe	wininet.exe
PID 2324 set thread context of 2340	2324	wininet.exe	wininet.exe
PID 2968 set thread context of 3008	2968	wininet.exe	wininet.exe
PID 2516 set thread context of 2636	2516	wininet.exe	wininet.exe
PID 2624 set thread context of 2656	2624	wininet.exe	wininet.exe
PID 2420 set thread context of 2580	2420	wininet.exe	wininet.exe
PID 2704 set thread context of 2468	2704	wininet.exe	wininet.exe
PID 2176 set thread context of 2920	2176	wininet.exe	wininet.exe
PID 2712 set thread context of 2752	2712	wininet.exe	wininet.exe
PID 2756 set thread context of 2856	2756	wininet.exe	wininet.exe
PID 996 set thread context of 312	996	wininet.exe	wininet.exe
PID 2876 set thread context of 1060	2876	wininet.exe	wininet.exe
PID 1980 set thread context of 2564	1980	wininet.exe	wininet.exe
PID 320 set thread context of 1900	320	wininet.exe	wininet.exe
PID 556 set thread context of 2220	556	wininet.exe	wininet.exe
PID 1112 set thread context of 2372	1112	wininet.exe	wininet.exe
PID 2956 set thread context of 2932	2956	wininet.exe	wininet.exe
PID 2592 set thread context of 412	2592	wininet.exe	wininet.exe
PID 2140 set thread context of 1804	2140	wininet.exe	wininet.exe

Modifies registry class 64 IoCs

Processes:

wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedb86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	db86cfeb5da035d609c8a564793a3f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	db86cfeb5da035d609c8a564793a3f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2836	db86cfeb5da035d609c8a564793a3f9c.exe
2772	wininet.exe
2552	wininet.exe
2512	wininet.exe
2424	wininet.exe
2076	wininet.exe
2732	wininet.exe
2876	wininet.exe
2040	wininet.exe
544	wininet.exe
1476	wininet.exe
2948	wininet.exe
1708	wininet.exe
2816	wininet.exe
900	wininet.exe
2120	wininet.exe
1656	wininet.exe
1812	wininet.exe
912	wininet.exe
1192	wininet.exe
2360	wininet.exe
2340	wininet.exe
2852	wininet.exe
2504	wininet.exe
2608	wininet.exe
2560	wininet.exe
2436	wininet.exe
2484	wininet.exe
2532	wininet.exe
2076	wininet.exe
2872	wininet.exe
1716	wininet.exe
1712	wininet.exe
1752	wininet.exe
556	wininet.exe
592	wininet.exe
1476	wininet.exe
3036	wininet.exe
1708	wininet.exe
2928	wininet.exe
3064	wininet.exe
1400	wininet.exe
1920	wininet.exe
1152	wininet.exe
1260	wininet.exe
1176	wininet.exe
2324	wininet.exe
2968	wininet.exe
2516	wininet.exe
2624	wininet.exe
2420	wininet.exe
2704	wininet.exe
2176	wininet.exe
2712	wininet.exe
2756	wininet.exe
996	wininet.exe
2876	wininet.exe
1980	wininet.exe
320	wininet.exe
556	wininet.exe
1112	wininet.exe
2956	wininet.exe
2592	wininet.exe
2140	wininet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db86cfeb5da035d609c8a564793a3f9c.exedb86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	pid	process	target process
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2836 wrote to memory of 2848	2836	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2848 wrote to memory of 2772	2848	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2848 wrote to memory of 2772	2848	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2848 wrote to memory of 2772	2848	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2848 wrote to memory of 2772	2848	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2772 wrote to memory of 2540	2772	wininet.exe	wininet.exe
PID 2540 wrote to memory of 2552	2540	wininet.exe	wininet.exe
PID 2540 wrote to memory of 2552	2540	wininet.exe	wininet.exe
PID 2540 wrote to memory of 2552	2540	wininet.exe	wininet.exe
PID 2540 wrote to memory of 2552	2540	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2552 wrote to memory of 2572	2552	wininet.exe	wininet.exe
PID 2572 wrote to memory of 2512	2572	wininet.exe	wininet.exe
PID 2572 wrote to memory of 2512	2572	wininet.exe	wininet.exe
PID 2572 wrote to memory of 2512	2572	wininet.exe	wininet.exe
PID 2572 wrote to memory of 2512	2572	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2512 wrote to memory of 2524	2512	wininet.exe	wininet.exe
PID 2524 wrote to memory of 2424	2524	wininet.exe	wininet.exe
PID 2524 wrote to memory of 2424	2524	wininet.exe	wininet.exe
PID 2524 wrote to memory of 2424	2524	wininet.exe	wininet.exe
PID 2524 wrote to memory of 2424	2524	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2424 wrote to memory of 2984	2424	wininet.exe	wininet.exe
PID 2984 wrote to memory of 2076	2984	wininet.exe	wininet.exe
PID 2984 wrote to memory of 2076	2984	wininet.exe	wininet.exe
PID 2984 wrote to memory of 2076	2984	wininet.exe	wininet.exe
PID 2984 wrote to memory of 2076	2984	wininet.exe	wininet.exe
PID 2076 wrote to memory of 2736	2076	wininet.exe	wininet.exe
PID 2076 wrote to memory of 2736	2076	wininet.exe	wininet.exe
PID 2076 wrote to memory of 2736	2076	wininet.exe	wininet.exe
PID 2076 wrote to memory of 2736	2076	wininet.exe	wininet.exe

C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe
"C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe
"C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe"
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2320

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:800

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:804

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:296

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1972

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:292

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2936

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1936

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
40⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2184

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
42⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1556

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1500

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2208

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
58⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2692

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
60⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2156

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1096

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1036

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
68⤵
- Drops file in System32 directory
PID:540

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
70⤵
- Drops file in System32 directory
PID:2472

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
72⤵
- Modifies registry class
PID:660

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2452

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1928

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2808

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:452

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2312

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1288

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
86⤵
PID:2804

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
90⤵
- Drops file in System32 directory
PID:1532

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1144

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
96⤵
PID:3008

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2656

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2580

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
104⤵
PID:2468

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
106⤵
PID:2920

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2712

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:996

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:312

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1060

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2564

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:320

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
118⤵
- Drops file in System32 directory
PID:1900

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
120⤵
- Modifies registry class
PID:2220

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
122⤵
- Drops file in System32 directory
- Modifies registry class
PID:2372

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
126⤵
- Drops file in System32 directory
PID:412

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1804

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
129⤵
PID:1672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
130⤵
- Drops file in System32 directory
PID:2260

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
131⤵
PID:1916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
132⤵
PID:932

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
133⤵
PID:1704

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1612

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
135⤵
PID:1192

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
137⤵
PID:3068

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
138⤵
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
139⤵
PID:1548

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
141⤵
PID:1564

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
142⤵
PID:2912

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
143⤵
PID:2516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2536

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
145⤵
PID:2448

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
146⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
147⤵
PID:2512

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
149⤵
PID:2412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2908

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
151⤵
PID:2532

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
153⤵
PID:2076

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
154⤵
PID:1028

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
155⤵
PID:1552

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2388

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
157⤵
PID:2024

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
158⤵
- Drops file in System32 directory
- Modifies registry class
PID:1596

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
159⤵
PID:1712

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
160⤵
PID:992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
161⤵
PID:320

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:488

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
163⤵
PID:2944

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
164⤵
- Modifies registry class
PID:2180

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
165⤵
PID:1732

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
166⤵
PID:3036

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
167⤵
PID:2236

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2128

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
169⤵
PID:1496

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1944

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
171⤵
PID:2148

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1324

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
173⤵
PID:1232

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
174⤵
- Modifies registry class
PID:2268

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
175⤵
PID:2192

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
176⤵
PID:1368

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
177⤵
PID:2164

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
179⤵
PID:2860

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2836

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
181⤵
PID:2052

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
183⤵
PID:2516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
184⤵
- Drops file in System32 directory
PID:2800

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
185⤵
PID:2648

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
187⤵
PID:2432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
188⤵
PID:1056

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
189⤵
PID:2176

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
190⤵
PID:2744

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
191⤵
PID:2712

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
193⤵
PID:1360

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
195⤵
PID:2024

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:324

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
197⤵
PID:1980

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
198⤵
- Drops file in System32 directory
- Modifies registry class
PID:1092

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
199⤵
PID:580

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
200⤵
- Modifies registry class
PID:2944

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
201⤵
PID:2948

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
202⤵
- Drops file in System32 directory
PID:1816

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
203⤵
PID:1508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3064

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
205⤵
PID:2108

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
206⤵
PID:2820

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
207⤵
PID:1108

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
208⤵
- Modifies registry class
PID:824

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
209⤵
PID:1920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
210⤵
- Modifies registry class
PID:1924

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
211⤵
PID:904

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
213⤵
PID:2112

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:352

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
215⤵
PID:872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
216⤵
PID:2324

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
217⤵
PID:1692

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
218⤵
PID:1880

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
219⤵
PID:2968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
221⤵
PID:2660

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
222⤵
- Drops file in System32 directory
- Modifies registry class
PID:2436

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
223⤵
PID:2356

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
224⤵
- Drops file in System32 directory
- Modifies registry class
PID:2424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
225⤵
PID:2980

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
227⤵
PID:1072

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2688

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
229⤵
PID:2712

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svshost.dll
Filesize
2KB

MD5
30e95d384411b634107cea578531fb4a

SHA1
1cb5206365f090c8737a7038368d00032470347f

SHA256
2a13ab37e010ceef72a27d3bdba139fc1f34fbdf752081f5fb1c6248600f4da1

SHA512
a44f48fbfc57e9ec0aff3aa6460ce096e29042be330aa77b62bf2337465acb8f8e4afe83610c575765cbfebe7041ca0dc32970ad9a0da711b1d6c940380b1ebe

Download Submit
C:\Windows\SysWOW64\wininet.exe
Filesize
64KB

MD5
13ac291c09952d6c20bb31d076bda637

SHA1
5ec1c72518efa1810c533c2653eed546c5f52ace

SHA256
73a6cc2379f6bbafd22a6c0fdb168fc954333859eca12093ea2853c3c5fcf535

SHA512
41c6561e4445b1487129e300faef9589e0f5c95b0b98d306dd1acdd2a586bc655008c7639fefc1780b4e73062e6dc3114d4ef2687ac2b688c83b119f8004a917

Download Submit
C:\Windows\SysWOW64\winint.exe
Filesize
65KB

MD5
226f46b43c1cf282061263b59b27e3ac

SHA1
ef0ea0dd2e0853e485b0234a2de512d96ad00cc4

SHA256
2c32c13df6eca75d6d8ff2fdb145c35e23e9bef7ade08dddfdd85b445cb40e64

SHA512
79cb42ae12ce18a2ed8fbc2444d4b9846eee806fce071a5343171a1d9c85481d3519347eabf9fbe6f6290f95892bab4e4de886ba7b11e82c67560cc9a1e469a4

Download Submit
\Windows\SysWOW64\wininet.exe
Filesize
192KB

MD5
0f33e0e4e7a2c03f4a1c82241767b52e

SHA1
13b3fce1a0387a255013a2482b1c9c46d598eda2

SHA256
88a3b5e13bff9079da4c45b694f2e1b63503b5da09f8e4bc24b86c46f576a13d

SHA512
821bc84e095962d2a7d223671a35b0ae58a6347738c238462548d4a720895364a23f0afae7f5a72e8471a28d1c3ffde969b64b923bcade88f17b41ee5b743c2c

Download Submit
\Windows\SysWOW64\wininet.exe
Filesize
364KB

MD5
db86cfeb5da035d609c8a564793a3f9c

SHA1
0bc91c08af0cdf1de593725f65f043f96aa76a79

SHA256
63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208

SHA512
f30461288242189cde960cfbcd8365b60365e790ba37597f3bef1a79ef1ca8a6fed5bcd14cb376791c7586736538a661056509b459f9f0b6d14744cf2e520475

Download Submit
memory/292-207-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/292-213-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/296-176-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/296-179-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/452-487-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/540-424-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/660-447-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/660-443-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/660-504-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/800-124-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/800-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/804-144-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/804-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1036-414-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1096-400-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1096-406-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1288-509-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1500-336-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1500-341-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1536-261-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1536-268-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1556-293-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1556-299-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1872-163-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1928-467-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1936-251-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1936-257-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1952-239-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1952-246-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1972-199-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2156-395-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2156-390-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2184-275-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2208-349-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2308-218-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2308-224-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2312-495-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2312-500-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2320-112-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2320-116-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2452-454-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2452-460-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2472-431-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2472-438-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2492-285-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2524-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2540-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2540-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2544-328-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2556-320-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2556-315-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2572-51-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-373-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-367-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2736-100-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2736-96-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2768-384-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2768-378-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2808-477-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2900-362-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2900-358-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-189-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-186-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2936-228-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2936-235-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2976-303-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2976-310-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-83-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads