63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db86cfeb5da035d609c8a564793a3f9c.exe
Size

364KB
MD5

db86cfeb5da035d609c8a564793a3f9c
SHA1

0bc91c08af0cdf1de593725f65f043f96aa76a79
SHA256

63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208
SHA512

f30461288242189cde960cfbcd8365b60365e790ba37597f3bef1a79ef1ca8a6fed5bcd14cb376791c7586736538a661056509b459f9f0b6d14744cf2e520475
SSDEEP

3072:/y5byk7RQfSy0LFpOLUls/H7LDQaWmRvk/xprmE91TCibHq5jtVInX4SRrrJ:/yExO5pOgls/bLDtRsr1Tjq5QoSRx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"	wininet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}"

Executes dropped EXE 64 IoCs

Processes:

wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

pid	process
4288	wininet.exe
1188	wininet.exe
4004	wininet.exe
1480	wininet.exe
1616	wininet.exe
228	wininet.exe
4436	wininet.exe
4624	wininet.exe
3312	wininet.exe
4528	wininet.exe
5048	wininet.exe
2712	wininet.exe
3276	wininet.exe
1004	wininet.exe
4808	wininet.exe
2032	wininet.exe
5112	wininet.exe
3288	wininet.exe
4136	wininet.exe
964	wininet.exe
2904	wininet.exe
1992	wininet.exe
4780	wininet.exe
4032	wininet.exe
2348	wininet.exe
4640	wininet.exe
3404	wininet.exe
3144	wininet.exe
1080	wininet.exe
756	wininet.exe
3328	wininet.exe
5000	wininet.exe
3016	wininet.exe
2304	wininet.exe
4700	wininet.exe
1152	wininet.exe
1272	wininet.exe
4376	wininet.exe
3296	wininet.exe
4508	wininet.exe
4952	wininet.exe
2640	wininet.exe
4772	wininet.exe
208	wininet.exe
4848	wininet.exe
4356	wininet.exe
4180	wininet.exe
2036	wininet.exe
4968	wininet.exe
2016	wininet.exe
5116	wininet.exe
4240	wininet.exe
916	wininet.exe
4164	wininet.exe
4620	wininet.exe
2992	wininet.exe
3156	wininet.exe
1512	wininet.exe
1516	wininet.exe
2312	wininet.exe
3968	wininet.exe
2528	wininet.exe
4104	wininet.exe
1328	wininet.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File opened for modification	C:\Windows\SysWOW64\winint.exe	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll	wininet.exe
File created	C:\Windows\SysWOW64\wininet.exe	wininet.exe
File opened for modification	C:\Windows\SysWOW64\svshost.dll

Suspicious use of SetThreadContext 64 IoCs

Processes:

db86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	pid	process	target process
PID 4236 set thread context of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4288 set thread context of 1188	4288	wininet.exe	wininet.exe
PID 4004 set thread context of 1480	4004	wininet.exe	wininet.exe
PID 1616 set thread context of 228	1616	wininet.exe	wininet.exe
PID 4436 set thread context of 4624	4436	wininet.exe	wininet.exe
PID 3312 set thread context of 4528	3312	wininet.exe	wininet.exe
PID 5048 set thread context of 2712	5048	wininet.exe	wininet.exe
PID 3276 set thread context of 1004	3276	wininet.exe	wininet.exe
PID 4808 set thread context of 2032	4808	wininet.exe	wininet.exe
PID 5112 set thread context of 3288	5112	wininet.exe	wininet.exe
PID 4136 set thread context of 964	4136	wininet.exe	wininet.exe
PID 2904 set thread context of 1992	2904	wininet.exe	wininet.exe
PID 4780 set thread context of 4032	4780	wininet.exe	wininet.exe
PID 2348 set thread context of 4640	2348	wininet.exe	wininet.exe
PID 3404 set thread context of 3144	3404	wininet.exe	wininet.exe
PID 1080 set thread context of 756	1080	wininet.exe	wininet.exe
PID 3328 set thread context of 5000	3328	wininet.exe	wininet.exe
PID 3016 set thread context of 2304	3016	wininet.exe	wininet.exe
PID 4700 set thread context of 1152	4700	wininet.exe	wininet.exe
PID 1272 set thread context of 4376	1272	wininet.exe	wininet.exe
PID 3296 set thread context of 4508	3296	wininet.exe	wininet.exe
PID 4952 set thread context of 2640	4952	wininet.exe	wininet.exe
PID 4772 set thread context of 208	4772	wininet.exe	wininet.exe
PID 4848 set thread context of 4356	4848	wininet.exe	wininet.exe
PID 4180 set thread context of 2036	4180	wininet.exe	wininet.exe
PID 4968 set thread context of 2016	4968	wininet.exe	wininet.exe
PID 5116 set thread context of 4240	5116	wininet.exe	wininet.exe
PID 916 set thread context of 4164	916	wininet.exe	wininet.exe
PID 4620 set thread context of 2992	4620	wininet.exe	wininet.exe
PID 3156 set thread context of 1512	3156	wininet.exe	wininet.exe
PID 1516 set thread context of 2312	1516	wininet.exe	wininet.exe
PID 3968 set thread context of 2528	3968	wininet.exe	wininet.exe
PID 4104 set thread context of 1328	4104	wininet.exe	wininet.exe
PID 1556 set thread context of 4780	1556	wininet.exe	wininet.exe
PID 4512 set thread context of 2348	4512	wininet.exe	wininet.exe
PID 4724 set thread context of 1100	4724	wininet.exe	wininet.exe
PID 2236 set thread context of 2340	2236	wininet.exe	wininet.exe
PID 2428 set thread context of 1320	2428	wininet.exe	wininet.exe
PID 4616 set thread context of 3332	4616	wininet.exe	wininet.exe
PID 3016 set thread context of 2040	3016	wininet.exe	wininet.exe
PID 4700 set thread context of 4236	4700	wininet.exe	wininet.exe
PID 4584 set thread context of 1584	4584	wininet.exe	wininet.exe
PID 3368 set thread context of 4536	3368	wininet.exe	wininet.exe
PID 4668 set thread context of 3928	4668	wininet.exe	wininet.exe
PID 4380 set thread context of 1748	4380	wininet.exe	wininet.exe
PID 1580 set thread context of 2352	1580	wininet.exe	wininet.exe
PID 3972 set thread context of 3400	3972	wininet.exe	wininet.exe
PID 1040 set thread context of 5116	1040	wininet.exe	wininet.exe
PID 4964 set thread context of 4476	4964	wininet.exe	wininet.exe
PID 4880 set thread context of 724	4880	wininet.exe	wininet.exe
PID 1068 set thread context of 5112	1068	wininet.exe	wininet.exe
PID 2020 set thread context of 3456	2020	wininet.exe	wininet.exe
PID 1472 set thread context of 4136	1472	wininet.exe	wininet.exe
PID 4104 set thread context of 2260	4104	wininet.exe	wininet.exe
PID 920 set thread context of 2632	920	wininet.exe	wininet.exe
PID 4504 set thread context of 4492	4504	wininet.exe	wininet.exe
PID 4040 set thread context of 4788	4040	wininet.exe	wininet.exe
PID 2372 set thread context of 4028	2372	wininet.exe	wininet.exe
PID 4308 set thread context of 4576	4308	wininet.exe	wininet.exe
PID 3200 set thread context of 4260	3200	wininet.exe	wininet.exe
PID 2296 set thread context of 2420	2296	wininet.exe	wininet.exe
PID 1740 set thread context of 2216	1740	wininet.exe	wininet.exe
PID 4872 set thread context of 4288	4872	wininet.exe	wininet.exe
PID 3508 set thread context of 4668	3508	wininet.exe	wininet.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}	db86cfeb5da035d609c8a564793a3f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32	wininet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll"	wininet.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4236	db86cfeb5da035d609c8a564793a3f9c.exe
4288	wininet.exe
4004	wininet.exe
1616	wininet.exe
4436	wininet.exe
3312	wininet.exe
5048	wininet.exe
3276	wininet.exe
4808	wininet.exe
5112	wininet.exe
4136	wininet.exe
2904	wininet.exe
4780	wininet.exe
2348	wininet.exe
3404	wininet.exe
1080	wininet.exe
3328	wininet.exe
3016	wininet.exe
4700	wininet.exe
1272	wininet.exe
3296	wininet.exe
4952	wininet.exe
4772	wininet.exe
4848	wininet.exe
4180	wininet.exe
4968	wininet.exe
5116	wininet.exe
916	wininet.exe
4620	wininet.exe
3156	wininet.exe
1516	wininet.exe
3968	wininet.exe
4104	wininet.exe
1556	wininet.exe
4512	wininet.exe
4724	wininet.exe
2236	wininet.exe
2428	wininet.exe
4616	wininet.exe
3016	wininet.exe
4700	wininet.exe
4584	wininet.exe
3368	wininet.exe
4668	wininet.exe
4380	wininet.exe
1580	wininet.exe
3972	wininet.exe
1040	wininet.exe
4964	wininet.exe
4880	wininet.exe
1068	wininet.exe
2020	wininet.exe
1472	wininet.exe
4104	wininet.exe
920	wininet.exe
4504	wininet.exe
4040	wininet.exe
2372	wininet.exe
4308	wininet.exe
3200	wininet.exe
2296	wininet.exe
1740	wininet.exe
4872	wininet.exe
3508	wininet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db86cfeb5da035d609c8a564793a3f9c.exedb86cfeb5da035d609c8a564793a3f9c.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exe

description	pid	process	target process
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 4236 wrote to memory of 2056	4236	db86cfeb5da035d609c8a564793a3f9c.exe	db86cfeb5da035d609c8a564793a3f9c.exe
PID 2056 wrote to memory of 4288	2056	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2056 wrote to memory of 4288	2056	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 2056 wrote to memory of 4288	2056	db86cfeb5da035d609c8a564793a3f9c.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 4288 wrote to memory of 1188	4288	wininet.exe	wininet.exe
PID 1188 wrote to memory of 4004	1188	wininet.exe	wininet.exe
PID 1188 wrote to memory of 4004	1188	wininet.exe	wininet.exe
PID 1188 wrote to memory of 4004	1188	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 4004 wrote to memory of 1480	4004	wininet.exe	wininet.exe
PID 1480 wrote to memory of 1616	1480	wininet.exe	wininet.exe
PID 1480 wrote to memory of 1616	1480	wininet.exe	wininet.exe
PID 1480 wrote to memory of 1616	1480	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 1616 wrote to memory of 228	1616	wininet.exe	wininet.exe
PID 228 wrote to memory of 4436	228	wininet.exe	wininet.exe
PID 228 wrote to memory of 4436	228	wininet.exe	wininet.exe
PID 228 wrote to memory of 4436	228	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4436 wrote to memory of 4624	4436	wininet.exe	wininet.exe
PID 4624 wrote to memory of 3312	4624	wininet.exe	wininet.exe
PID 4624 wrote to memory of 3312	4624	wininet.exe	wininet.exe
PID 4624 wrote to memory of 3312	4624	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 3312 wrote to memory of 4528	3312	wininet.exe	wininet.exe
PID 4528 wrote to memory of 5048	4528	wininet.exe	wininet.exe
PID 4528 wrote to memory of 5048	4528	wininet.exe	wininet.exe
PID 4528 wrote to memory of 5048	4528	wininet.exe	wininet.exe
PID 5048 wrote to memory of 2712	5048	wininet.exe	wininet.exe
PID 5048 wrote to memory of 2712	5048	wininet.exe	wininet.exe
PID 5048 wrote to memory of 2712	5048	wininet.exe	wininet.exe
PID 5048 wrote to memory of 2712	5048	wininet.exe	wininet.exe

C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe
"C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe
"C:\Users\Admin\AppData\Local\Temp\db86cfeb5da035d609c8a564793a3f9c.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
14⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
16⤵
- Executes dropped EXE
PID:1004

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
18⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
20⤵
- Executes dropped EXE
PID:3288

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
22⤵
- Executes dropped EXE
PID:964

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
24⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
26⤵
- Executes dropped EXE
- Modifies registry class
PID:4032

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
28⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
30⤵
- Executes dropped EXE
PID:3144

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
32⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
34⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
36⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
38⤵
- Executes dropped EXE
PID:1152

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
40⤵
- Executes dropped EXE
PID:4376

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
42⤵
- Executes dropped EXE
PID:4508

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
44⤵
- Executes dropped EXE
PID:2640

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
46⤵
- Executes dropped EXE
PID:208

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
48⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
50⤵
- Executes dropped EXE
PID:2036

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
52⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
54⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
56⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
58⤵
- Executes dropped EXE
PID:2992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
60⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
62⤵
- Executes dropped EXE
PID:2312

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
64⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
66⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
68⤵
PID:4780

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
72⤵
PID:1100

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
74⤵
PID:2340

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
76⤵
PID:1320

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
78⤵
PID:3332

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
80⤵
PID:2040

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
82⤵
PID:4236

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
84⤵
PID:1584

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
86⤵
PID:4536

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
88⤵
PID:3928

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
90⤵
- Drops file in System32 directory
PID:1748

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
92⤵
- Drops file in System32 directory
PID:2352

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
94⤵
PID:3400

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
96⤵
PID:5116

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
98⤵
- Modifies registry class
PID:4476

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
100⤵
PID:724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
102⤵
- Drops file in System32 directory
PID:5112

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
104⤵
PID:3456

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4136

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
108⤵
PID:2260

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
110⤵
PID:2632

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
112⤵
PID:4492

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
114⤵
PID:4788

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
116⤵
PID:4028

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
118⤵
PID:4576

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
120⤵
PID:4260

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
122⤵
PID:2420

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
124⤵
PID:2216

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4288

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
128⤵
- Drops file in System32 directory
PID:4668

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
129⤵
PID:4848

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
130⤵
PID:2148

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
131⤵
PID:4836

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
132⤵
PID:864

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
133⤵
PID:4324

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
134⤵
PID:508

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
135⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
136⤵
PID:2980

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
137⤵
PID:1428

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
138⤵
PID:3168

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
139⤵
PID:1220

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
140⤵
PID:3156

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
141⤵
PID:3708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
142⤵
PID:620

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
143⤵
PID:1084

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
145⤵
PID:1492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
146⤵
PID:3124

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
147⤵
PID:1420

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
148⤵
PID:3216

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
149⤵
PID:3544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
150⤵
PID:1216

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
151⤵
PID:4688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
152⤵
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
153⤵
PID:2284

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
154⤵
- Drops file in System32 directory
PID:3736

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
155⤵
PID:4596

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
156⤵
PID:3624

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
157⤵
PID:2296

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
158⤵
PID:2584

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
159⤵
PID:4084

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
160⤵
PID:452

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
161⤵
PID:3508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
162⤵
PID:4340

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
163⤵
PID:3880

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
164⤵
PID:3972

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
165⤵
PID:3292

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
166⤵
PID:4324

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
167⤵
PID:5060

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
168⤵
- Drops file in System32 directory
PID:1816

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
169⤵
PID:2256

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
170⤵
- Modifies registry class
PID:1916

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
171⤵
PID:212

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
172⤵
PID:5052

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
173⤵
PID:4612

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
174⤵
PID:3024

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
175⤵
PID:3968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
176⤵
PID:1176

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
177⤵
PID:1556

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
178⤵
PID:3360

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
179⤵
PID:4132

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
180⤵
PID:3076

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
181⤵
PID:5028

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
182⤵
PID:4048

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
183⤵
PID:1224

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
184⤵
PID:4908

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
185⤵
PID:2520

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
186⤵
PID:2908

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
187⤵
PID:1740

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
188⤵
PID:800

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
189⤵
PID:4900

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
190⤵
PID:2356

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
191⤵
PID:2728

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
192⤵
- Modifies registry class
PID:112

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
193⤵
PID:4968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
194⤵
PID:3312

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
195⤵
PID:2492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
196⤵
PID:2208

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
197⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
198⤵
PID:3276

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
199⤵
PID:2252

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
200⤵
PID:3280

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
201⤵
PID:1864

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
202⤵
- Modifies registry class
PID:3708

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
203⤵
PID:4612

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
204⤵
PID:5004

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
205⤵
PID:2116

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
206⤵
PID:1516

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
207⤵
PID:4504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
208⤵
- Drops file in System32 directory
PID:4480

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
209⤵
PID:4548

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
210⤵
PID:836

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
211⤵
PID:4708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
212⤵
- Drops file in System32 directory
PID:2052

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
213⤵
PID:4616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
215⤵
PID:3616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
216⤵
PID:1740

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
217⤵
PID:2620

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
218⤵
PID:436

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
219⤵
PID:4928

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
221⤵
PID:3628

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
222⤵
PID:3472

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
223⤵
PID:1096

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
224⤵
PID:32

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
225⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
226⤵
PID:2256

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
227⤵
PID:3268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
228⤵
PID:1220

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
229⤵
PID:1864

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
230⤵
PID:4808

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
231⤵
PID:1492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
232⤵
PID:2020

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
233⤵
PID:2072

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
234⤵
PID:1316

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
235⤵
PID:5084

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
236⤵
PID:2396

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
237⤵
PID:4548

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
238⤵
- Modifies registry class
PID:2380

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
239⤵
PID:2004

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
240⤵
PID:2520

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
241⤵
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
242⤵
PID:2008

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
243⤵
PID:4084

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
244⤵
PID:4636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
245⤵
PID:4872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
246⤵
PID:3588

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
247⤵
PID:4180

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
248⤵
PID:636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
249⤵
PID:624

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
250⤵
PID:5048

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
251⤵
PID:2060

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
252⤵
PID:1912

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
253⤵
PID:4828

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
254⤵
PID:640

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
255⤵
PID:4484

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
256⤵
- Drops file in System32 directory
PID:3520

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
257⤵
PID:1792

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
258⤵
PID:3272

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
259⤵
PID:3160

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
260⤵
PID:2116

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
261⤵
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
262⤵
- Drops file in System32 directory
PID:4452

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
263⤵
PID:4504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
264⤵
PID:1692

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
265⤵
PID:4708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
266⤵
PID:4720

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
267⤵
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
268⤵
PID:4036

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
269⤵
PID:2364

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
270⤵
PID:3436

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
271⤵
PID:4848

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
272⤵
PID:1164

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
273⤵
PID:624

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
274⤵
PID:1608

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
275⤵
PID:3196

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
276⤵
PID:244

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
277⤵
PID:4660

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
278⤵
PID:5108

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
279⤵
PID:3636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
280⤵
PID:3532

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
281⤵
PID:1556

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
282⤵
PID:2200

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
283⤵
PID:3160

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
284⤵
PID:4040

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
285⤵
PID:4132

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
286⤵
PID:4784

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
287⤵
PID:4504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
288⤵
PID:3296

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
289⤵
PID:1272

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
290⤵
PID:4468

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
291⤵
PID:5012

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
292⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1144

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
293⤵
PID:1636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
294⤵
PID:2492

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
295⤵
PID:2292

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
296⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
297⤵
PID:2988

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
298⤵
PID:1304

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
299⤵
PID:4220

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
300⤵
PID:212

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
301⤵
PID:5044

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
302⤵
PID:1084

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
303⤵
PID:1836

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
304⤵
PID:2228

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
305⤵
PID:1420

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
306⤵
PID:5084

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
307⤵
PID:1700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
308⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
309⤵
PID:4708

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
310⤵
PID:632

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
311⤵
PID:1040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
312⤵
PID:4896

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
313⤵
PID:3500

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
314⤵
- Modifies registry class
PID:3880

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
315⤵
PID:3292

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
316⤵
PID:4960

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
317⤵
PID:2060

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
318⤵
PID:400

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
319⤵
PID:1732

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
320⤵
PID:4524

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
321⤵
PID:1864

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
322⤵
PID:4156

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
323⤵
PID:808

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
324⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
325⤵
PID:1836

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
326⤵
PID:3540

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
327⤵
PID:3544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
328⤵
PID:3252

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
329⤵
PID:4688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
330⤵
- Modifies registry class
PID:4004

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
331⤵
PID:4872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
332⤵
PID:4248

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
333⤵
PID:1040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
334⤵
- Modifies registry class
PID:3964

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
335⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
336⤵
PID:4860

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
337⤵
PID:1168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
338⤵
PID:4620

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
339⤵
PID:3188

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
340⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4852

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
341⤵
PID:1464

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
342⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3192

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
343⤵
PID:4300

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
344⤵
- Drops file in System32 directory
PID:4228

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
345⤵
PID:5044

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
346⤵
PID:4828

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
347⤵
PID:4512

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
348⤵
PID:1836

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
349⤵
PID:4296

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
350⤵
PID:1700

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
351⤵
PID:1580

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
352⤵
PID:4708

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
353⤵
PID:3616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
354⤵
PID:3800

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
355⤵
PID:2636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
356⤵
PID:5060

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
357⤵
PID:3628

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
358⤵
PID:3120

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
359⤵
PID:4712

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
360⤵
PID:3856

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
361⤵
PID:3196

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
362⤵
PID:4220

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
363⤵
PID:4108

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
364⤵
PID:3140

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
365⤵
PID:1080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
366⤵
PID:3728

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
367⤵
PID:5044

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
368⤵
PID:4284

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
369⤵
PID:3220

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
370⤵
PID:4296

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
371⤵
PID:2552

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
372⤵
PID:4092

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
373⤵
PID:4604

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
374⤵
PID:5012

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
375⤵
PID:3992

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
376⤵
PID:916

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
377⤵
PID:4224

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
378⤵
PID:4880

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
379⤵
PID:1428

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
380⤵
- Modifies registry class
PID:376

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
381⤵
PID:4520

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
382⤵
PID:1556

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
383⤵
PID:1324

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
384⤵
PID:2984

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
385⤵
PID:4512

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
386⤵
PID:3544

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
387⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
388⤵
PID:3140

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
389⤵
PID:3636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
390⤵
PID:4504

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
391⤵
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
392⤵
PID:4580

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
393⤵
PID:4836

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
394⤵
PID:4604

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
395⤵
PID:4368

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
396⤵
PID:3628

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
397⤵
PID:624

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
398⤵
PID:4712

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
399⤵
PID:1676

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
400⤵
PID:1464

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
401⤵
PID:808

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
402⤵
PID:4400

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
403⤵
PID:2532

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
404⤵
PID:3548

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
405⤵
PID:3688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
406⤵
PID:4696

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
407⤵
PID:460

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
408⤵
PID:4084

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
409⤵
PID:4080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
410⤵
PID:4448

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
411⤵
PID:3616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
412⤵
PID:1580

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
413⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
414⤵
PID:4964

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
415⤵
PID:4056

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
416⤵
PID:4224

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
417⤵
PID:1432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
418⤵
PID:4108

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
419⤵
PID:4772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
420⤵
PID:3704

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
421⤵
PID:1080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
422⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
423⤵
PID:2688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
424⤵
PID:3968

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
425⤵
PID:4336

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
426⤵
- Drops file in System32 directory
PID:3220

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
427⤵
PID:1920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
428⤵
PID:4264

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
429⤵
PID:1172

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
430⤵
PID:4328

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
431⤵
PID:2636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
432⤵
PID:3604

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
433⤵
PID:3344

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
434⤵
PID:3328

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
435⤵
PID:4380

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
436⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
437⤵
PID:2168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
438⤵
PID:3340

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
439⤵
PID:2532

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
440⤵
PID:1864

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
441⤵
PID:1488

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
442⤵
PID:1796

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
443⤵
PID:4132

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
444⤵
PID:372

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
445⤵
PID:1284

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
446⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
447⤵
PID:364

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
448⤵
PID:4368

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
449⤵
PID:2636

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
450⤵
PID:5092

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
451⤵
PID:3188

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
452⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
453⤵
PID:4772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
454⤵
PID:4076

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
455⤵
PID:1420

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
456⤵
PID:4548

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
457⤵
PID:4688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
458⤵
PID:2688

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
459⤵
PID:1688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
460⤵
PID:4968

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
461⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
462⤵
PID:1448

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
463⤵
PID:896

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
464⤵
PID:4976

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
465⤵
PID:3268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
466⤵
PID:4408

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
467⤵
PID:4300

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
468⤵
PID:4380

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
469⤵
PID:2168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
470⤵
PID:4484

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
471⤵
PID:1156

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
472⤵
PID:4680

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
473⤵
PID:1492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
474⤵
PID:3920

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
475⤵
PID:4336

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
476⤵
PID:4848

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
477⤵
PID:4080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
478⤵
PID:1900

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
479⤵
PID:896

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
480⤵
PID:1676

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
481⤵
PID:1432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
482⤵
PID:1628

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
483⤵
PID:4772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
484⤵
PID:1436

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
485⤵
PID:3932

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
486⤵
PID:4244

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
487⤵
PID:2704

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
488⤵
PID:3636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
489⤵
PID:4872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
490⤵
PID:2860

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
491⤵
PID:4180

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
492⤵
- Modifies registry class
PID:3180

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
493⤵
PID:3992

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
494⤵
- Modifies registry class
PID:896

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
495⤵
PID:4056

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
496⤵
PID:1284

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
497⤵
PID:4772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
498⤵
PID:4268

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
499⤵
PID:2364

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
500⤵
PID:1536

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
501⤵
PID:3524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
502⤵
PID:744

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
503⤵
PID:544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
504⤵
PID:2548

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
505⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
506⤵
PID:3992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
507⤵
PID:2104

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
508⤵
PID:804

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
509⤵
PID:4972

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
510⤵
PID:4840

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
511⤵
PID:4688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
512⤵
PID:2552

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
513⤵
PID:4700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
514⤵
PID:1920

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
515⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
516⤵
PID:3196

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
517⤵
PID:5104

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
518⤵
PID:4592

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
519⤵
PID:424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
520⤵
PID:2284

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
521⤵
PID:944

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
522⤵
- Drops file in System32 directory
PID:404

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
523⤵
PID:1272

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
524⤵
PID:1648

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
525⤵
PID:4836

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
526⤵
PID:1636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
527⤵
PID:4612

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
528⤵
PID:1484

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
529⤵
PID:1168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
530⤵
PID:1652

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
531⤵
PID:3992

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
532⤵
PID:1552

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
533⤵
PID:3616

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
534⤵
- Drops file in System32 directory
PID:1156

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
535⤵
PID:2364

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
536⤵
PID:1688

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
537⤵
PID:2612

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
538⤵
PID:3524

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
539⤵
PID:1096

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
540⤵
PID:1324

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
541⤵
PID:1340

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
542⤵
PID:4724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
543⤵
PID:2728

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
544⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
545⤵
PID:1492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
546⤵
PID:1172

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
547⤵
PID:3780

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
548⤵
- Modifies registry class
PID:544

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
549⤵
PID:4500

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
550⤵
PID:4364

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
551⤵
PID:1096

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
552⤵
PID:2060

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
553⤵
PID:1732

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
554⤵
PID:3992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
555⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
556⤵
PID:1492

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
557⤵
PID:2620

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
558⤵
PID:3552

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
559⤵
PID:664

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
560⤵
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
561⤵
PID:3516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
562⤵
PID:1096

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
563⤵
PID:3932

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
564⤵
PID:1732

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
565⤵
PID:5068

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
566⤵
PID:3464

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
567⤵
PID:4332

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
568⤵
PID:2636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
569⤵
PID:3268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
570⤵
PID:540

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
571⤵
PID:2168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
572⤵
PID:2344

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
573⤵
PID:2296

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
574⤵
PID:4700

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
575⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
576⤵
PID:2612

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
577⤵
PID:2568

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
578⤵
PID:4500

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
579⤵
PID:1792

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
580⤵
PID:3516

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
581⤵
PID:944

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
582⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4444

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
583⤵
PID:3292

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
584⤵
PID:4520

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
585⤵
PID:3780

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
586⤵
PID:4532

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
587⤵
PID:4544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
588⤵
PID:4992

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
589⤵
PID:2168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
590⤵
PID:944

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
591⤵
PID:3932

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
592⤵
PID:3292

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
593⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
594⤵
PID:1664

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
595⤵
PID:2568

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
596⤵
PID:4872

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
597⤵
PID:3772

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
598⤵
PID:232

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
599⤵
PID:5068

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
600⤵
PID:3204

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
601⤵
PID:2704

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
602⤵
PID:424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
603⤵
PID:4928

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
604⤵
PID:2728

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
605⤵
PID:4396

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
606⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4772

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
607⤵
PID:4332

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
608⤵
PID:2292

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
609⤵
PID:1168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
610⤵
PID:3824

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
611⤵
PID:2508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
612⤵
PID:2068

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
613⤵
PID:664

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
614⤵
PID:364

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
615⤵
PID:3780

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
616⤵
PID:460

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
617⤵
PID:2252

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
618⤵
PID:2296

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
619⤵
PID:2904

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
620⤵
PID:808

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
621⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
622⤵
PID:4056

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
623⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
624⤵
PID:5068

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
625⤵
PID:4396

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
626⤵
PID:2704

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
627⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
628⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4972

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
629⤵
PID:1792

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
630⤵
PID:2764

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
631⤵
PID:4080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
632⤵
PID:3040

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
633⤵
PID:3188

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
634⤵
PID:4916

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
635⤵
PID:2508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
636⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
637⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
638⤵
PID:2252

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
639⤵
PID:4544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
640⤵
PID:3344

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
641⤵
PID:3404

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
642⤵
- Drops file in System32 directory
PID:4132

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
643⤵
PID:4388

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
644⤵
PID:3152

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
645⤵
PID:1488

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
646⤵
PID:4768

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
647⤵
PID:4396

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
648⤵
PID:1168

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
649⤵
PID:2104

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
650⤵
PID:3160

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
651⤵
PID:1488

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
652⤵
PID:4836

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
653⤵
PID:4396

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
654⤵
PID:3772

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
655⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
656⤵
PID:2276

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
657⤵
PID:1432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
658⤵
PID:1792

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
659⤵
PID:3412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
660⤵
PID:1080

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
661⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
662⤵
PID:4928

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
663⤵
PID:3648

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
664⤵
- Modifies registry class
PID:2532

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
665⤵
PID:4388

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
666⤵
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
667⤵
PID:4360

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
668⤵
PID:3648

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
669⤵
PID:3596

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
670⤵
PID:4300

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
671⤵
PID:4268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
672⤵
PID:2104

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
673⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
674⤵
PID:4080

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
675⤵
PID:4544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
676⤵
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
677⤵
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
678⤵
PID:5104

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
679⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
680⤵
PID:1080

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
681⤵
PID:4268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
682⤵
PID:3596

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
683⤵
PID:3580

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
684⤵
PID:2988

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
685⤵
PID:3780

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
686⤵
PID:1196

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
687⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
688⤵
PID:4544

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
689⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
690⤵
PID:4336

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
691⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
692⤵
PID:3188

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
693⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
694⤵
PID:4388

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
695⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
696⤵
PID:3724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
697⤵
PID:1428

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
698⤵
PID:2168

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
699⤵
PID:5016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
700⤵
PID:3780

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
701⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
702⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
703⤵
PID:1432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
704⤵
PID:1428

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
705⤵
PID:2508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
706⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
707⤵
PID:2620

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
708⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
709⤵
PID:5016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
710⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
711⤵
PID:4360

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
712⤵
PID:3308

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
713⤵
PID:3412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
714⤵
PID:3264

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
715⤵
PID:5016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
716⤵
PID:4360

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
717⤵
PID:2620

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
718⤵
PID:3932

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
719⤵
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
720⤵
PID:3580

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
721⤵
PID:3688

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
722⤵
PID:2508

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
723⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
724⤵
- Drops file in System32 directory
PID:3412

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
725⤵
PID:3676

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
726⤵
PID:2620

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
727⤵
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
728⤵
PID:4268

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
729⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
730⤵
PID:5016

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
731⤵
PID:1432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
732⤵
PID:3688

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
733⤵
PID:5136

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
734⤵
PID:5176

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
735⤵
PID:5208

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
736⤵
PID:5252

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
737⤵
PID:5284

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
738⤵
- Modifies registry class
PID:5328

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
739⤵
PID:5364

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
740⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
741⤵
PID:5440

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
742⤵
PID:5480

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
743⤵
PID:5516

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
744⤵
PID:5556

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
745⤵
PID:5592

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
746⤵
- Modifies registry class
PID:5636

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
747⤵
PID:5668

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
748⤵
- Modifies registry class
PID:5708

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
749⤵
PID:5740

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
750⤵
PID:5780

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
751⤵
PID:5816

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
752⤵
PID:5856

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
753⤵
PID:5892

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
754⤵
PID:5932

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
755⤵
PID:5968

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
756⤵
PID:6008

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
757⤵
PID:6044

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
758⤵
PID:6084

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
759⤵
PID:6116

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
760⤵
PID:3676

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
761⤵
PID:5124

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
762⤵
PID:5200

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
763⤵
PID:5180

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
764⤵
PID:5228

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
765⤵
PID:5276

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
766⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
767⤵
PID:5344

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
768⤵
PID:5448

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
769⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
770⤵
PID:5512

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
771⤵
PID:5496

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
772⤵
PID:5588

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
773⤵
PID:5628

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
774⤵
PID:5664

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
775⤵
PID:5716

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
776⤵
PID:5756

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
777⤵
PID:5744

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
778⤵
PID:5832

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
779⤵
PID:5840

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
780⤵
PID:5908

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
781⤵
PID:5944

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
782⤵
- Modifies registry class
PID:5956

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
783⤵
PID:5988

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
784⤵
PID:6012

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
785⤵
PID:6112

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
786⤵
PID:5608

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
787⤵
PID:5168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
788⤵
PID:5216

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
789⤵
PID:5192

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
790⤵
PID:5244

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
791⤵
PID:5320

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
792⤵
PID:5372

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
793⤵
PID:5400

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
794⤵
PID:5464

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
795⤵
PID:5492

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
796⤵
PID:5444

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
797⤵
PID:5508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
798⤵
PID:5560

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
799⤵
PID:5612

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
800⤵
PID:5704

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
801⤵
PID:5700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
802⤵
PID:5768

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
803⤵
PID:5828

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
804⤵
PID:5836

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
805⤵
PID:5388

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
806⤵
PID:5896

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
807⤵
PID:5948

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
808⤵
PID:6052

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
809⤵
PID:6080

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
810⤵
PID:6124

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
811⤵
PID:6132

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
812⤵
PID:524

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
813⤵
PID:5164

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
814⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
815⤵
PID:5204

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
816⤵
PID:5292

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
817⤵
PID:5368

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
818⤵
PID:5300

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
819⤵
PID:5352

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
820⤵
PID:5364

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
821⤵
PID:5544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
822⤵
PID:5564

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
823⤵
PID:5644

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
824⤵
PID:5628

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
825⤵
PID:5752

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
826⤵
PID:5740

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
827⤵
PID:5812

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
828⤵
PID:5744

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
829⤵
PID:5816

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
830⤵
PID:5388

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
831⤵
PID:5940

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
832⤵
PID:6024

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
833⤵
PID:6016

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
834⤵
PID:6048

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
835⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
836⤵
PID:6132

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
837⤵
PID:5220

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
838⤵
PID:5236

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
839⤵
PID:5312

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
840⤵
PID:5340

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
841⤵
PID:5412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
842⤵
PID:5356

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
843⤵
PID:5392

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
844⤵
PID:5532

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
845⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
846⤵
PID:5684

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
847⤵
PID:5540

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
848⤵
PID:5712

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
849⤵
PID:5728

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
850⤵
PID:5772

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
851⤵
PID:5792

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
852⤵
PID:5916

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
853⤵
PID:5984

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
854⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5972

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
855⤵
PID:6060

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
856⤵
PID:6092

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
857⤵
PID:5988

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
858⤵
PID:5160

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
859⤵
PID:5168

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
860⤵
PID:5260

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
861⤵
PID:5280

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
862⤵
PID:5272

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
863⤵
PID:5376

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
864⤵
PID:5488

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
865⤵
PID:5476

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
866⤵
PID:5516

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
867⤵
PID:5520

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
868⤵
PID:5604

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
869⤵
PID:5692

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
870⤵
PID:5688

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
871⤵
PID:5788

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
872⤵
PID:5652

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
873⤵
PID:5844

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
874⤵
PID:5884

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
875⤵
PID:5816

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
876⤵
- Drops file in System32 directory
PID:5948

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
877⤵
PID:6056

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
878⤵
PID:5968

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
879⤵
PID:5172

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
880⤵
PID:5188

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
881⤵
PID:5212

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
882⤵
PID:5132

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
883⤵
PID:5248

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
884⤵
PID:5396

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
885⤵
PID:5384

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
886⤵
PID:5344

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
887⤵
PID:5412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
888⤵
PID:5476

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
889⤵
PID:5524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
890⤵
PID:5592

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
891⤵
PID:5640

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
892⤵
PID:5720

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
893⤵
PID:5784

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
894⤵
PID:5800

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
895⤵
PID:5888

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
896⤵
PID:5964

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
897⤵
PID:6032

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
898⤵
PID:4644

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
899⤵
PID:1040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
900⤵
PID:5940

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
901⤵
PID:6088

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
902⤵
PID:6100

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
903⤵
PID:5212

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
904⤵
PID:5304

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
905⤵
PID:5248

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
906⤵
PID:5416

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
907⤵
PID:5504

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
908⤵
PID:5420

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
909⤵
PID:5528

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
910⤵
PID:3672

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
911⤵
PID:5600

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
912⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5644

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
913⤵
PID:5788

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
914⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
915⤵
PID:5700

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
916⤵
- Drops file in System32 directory
PID:5976

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
917⤵
PID:6020

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
918⤵
- Modifies registry class
PID:6032

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
919⤵
PID:5984

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
920⤵
PID:6104

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
921⤵
PID:5136

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
922⤵
PID:1944

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
923⤵
PID:5544

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
924⤵
PID:5180

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
925⤵
PID:5376

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
926⤵
PID:5500

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
927⤵
PID:5456

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
928⤵
PID:5492

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
929⤵
PID:5552

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
930⤵
PID:5632

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
931⤵
PID:5648

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
932⤵
PID:5640

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
933⤵
PID:5788

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
934⤵
PID:5880

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
935⤵
PID:5796

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
936⤵
PID:5904

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
937⤵
PID:6064

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
938⤵
PID:5124

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
939⤵
PID:5264

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
940⤵
- Drops file in System32 directory
PID:3940

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
941⤵
PID:5256

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
942⤵
PID:3504

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
943⤵
PID:5428

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
944⤵
PID:5384

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
945⤵
PID:5412

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
946⤵
PID:5548

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
947⤵
PID:5680

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
948⤵
PID:5576

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
949⤵
PID:5840

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
950⤵
PID:5748

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
951⤵
PID:5872

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
952⤵
PID:5844

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
953⤵
PID:5792

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
954⤵
PID:5944

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
955⤵
PID:6056

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
956⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
957⤵
PID:6060

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
958⤵
- Modifies registry class
PID:5264

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
959⤵
PID:5268

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
960⤵
PID:5256

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
961⤵
PID:664

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
962⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
963⤵
PID:5352

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
964⤵
PID:5412

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
965⤵
PID:5508

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
966⤵
PID:5848

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
967⤵
PID:5716

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
968⤵
PID:5860

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
969⤵
PID:5928

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
970⤵
PID:5912

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
971⤵
PID:6036

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
972⤵
PID:5892

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
973⤵
PID:5152

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
974⤵
PID:6072

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
975⤵
PID:5316

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
976⤵
PID:3404

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
977⤵
PID:5432

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
978⤵
PID:5212

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
979⤵
PID:5288

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
980⤵
PID:5612

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
981⤵
PID:5456

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
982⤵
PID:5808

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
983⤵
PID:5820

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
984⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
985⤵
PID:5648

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
986⤵
PID:5824

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
987⤵
PID:5852

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
988⤵
- Drops file in System32 directory
PID:6020

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
989⤵
PID:6036

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
990⤵
PID:1420

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
991⤵
PID:920

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
992⤵
PID:5140

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
993⤵
PID:5136

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
994⤵
PID:1424

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
995⤵
PID:5280

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
996⤵
PID:5204

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
997⤵
PID:5536

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
998⤵
PID:5496

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
999⤵
PID:5524

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1000⤵
- Modifies registry class
PID:5660

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1001⤵
PID:5980

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1002⤵
PID:5888

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1003⤵
PID:5928

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1004⤵
PID:5960

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1005⤵
PID:6040

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1006⤵
PID:5224

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1007⤵
PID:5152

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1008⤵
PID:4792

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1009⤵
PID:5580

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1010⤵
PID:5316

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1011⤵
PID:5312

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1012⤵
PID:5620

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1013⤵
PID:5472

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1014⤵
PID:5600

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1015⤵
PID:5692

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1016⤵
PID:5656

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1017⤵
PID:5552

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1018⤵
PID:5872

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1019⤵
PID:5936

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1020⤵
PID:6120

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1021⤵
PID:1500

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1022⤵
PID:856

C:\Windows\SysWOW64\wininet.exe
C:\Windows\system32\wininet.exe
1023⤵
PID:5208

C:\Windows\SysWOW64\wininet.exe
"C:\Windows\SysWOW64\wininet.exe"
1024⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svshost.dll
Filesize
2KB

MD5
30e95d384411b634107cea578531fb4a

SHA1
1cb5206365f090c8737a7038368d00032470347f

SHA256
2a13ab37e010ceef72a27d3bdba139fc1f34fbdf752081f5fb1c6248600f4da1

SHA512
a44f48fbfc57e9ec0aff3aa6460ce096e29042be330aa77b62bf2337465acb8f8e4afe83610c575765cbfebe7041ca0dc32970ad9a0da711b1d6c940380b1ebe

Download Submit
C:\Windows\SysWOW64\wininet.exe
Filesize
364KB

MD5
db86cfeb5da035d609c8a564793a3f9c

SHA1
0bc91c08af0cdf1de593725f65f043f96aa76a79

SHA256
63a76fe85254818dfdadf6ad0b8efb1fc3ad76bded560c76eba456de4c459208

SHA512
f30461288242189cde960cfbcd8365b60365e790ba37597f3bef1a79ef1ca8a6fed5bcd14cb376791c7586736538a661056509b459f9f0b6d14744cf2e520475

Download Submit
C:\Windows\SysWOW64\winint.exe
Filesize
65KB

MD5
226f46b43c1cf282061263b59b27e3ac

SHA1
ef0ea0dd2e0853e485b0234a2de512d96ad00cc4

SHA256
2c32c13df6eca75d6d8ff2fdb145c35e23e9bef7ade08dddfdd85b445cb40e64

SHA512
79cb42ae12ce18a2ed8fbc2444d4b9846eee806fce071a5343171a1d9c85481d3519347eabf9fbe6f6290f95892bab4e4de886ba7b11e82c67560cc9a1e469a4

Download Submit
memory/208-302-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/208-298-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/228-50-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/228-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/756-222-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/964-150-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1004-105-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1004-108-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1100-442-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1100-440-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1152-252-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1152-257-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1188-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1320-458-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1320-460-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1320-464-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1328-409-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1480-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1480-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1512-377-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1584-507-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1584-502-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1992-158-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1992-164-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2016-335-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2016-330-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2032-120-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2032-123-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2036-319-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2036-324-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2040-485-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2040-481-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2056-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2056-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2056-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2056-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2304-246-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2304-242-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2312-383-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2312-388-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2340-452-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2348-431-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2348-427-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2528-399-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2528-394-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2640-286-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2640-291-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2712-92-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2712-97-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2992-363-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2992-367-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3144-208-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3144-201-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3288-134-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3288-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3332-474-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4032-172-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4032-178-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4164-356-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4236-492-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4236-496-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4240-346-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4240-341-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4356-313-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4356-309-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4376-263-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4376-268-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4508-276-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4508-274-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4508-280-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4528-81-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4528-77-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4624-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4624-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4640-186-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4640-193-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4780-420-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4780-415-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5000-235-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download