xtremerat | a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b

Resubmissions

12/01/2025, 15:48

250112-s8223aykfx 10

12/01/2025, 15:35

250112-s1cgfaxqhx 10

Analysis

max time kernel
52s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Size

171KB
MD5

1227b76e0d09be1a3189f997f0096e3d
SHA1

d1fa42ace2868175e1d7f8d026caab4e8c09bfb1
SHA256

a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b
SHA512

08ad3059abf619b7175c65644b8adc5c1ce00a4800b703b9d9bbe52032d3a756c1abe9f35f1c533c820c9ab61a41962b6128b9edcdd0d9dd2e424dea10357b19
SSDEEP

3072:lxexkMNY+4n8iVMMS73Gso2APwDsvZMQ0rX8Zv:D6k/+4nNv9vIDZf41

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/2572-5-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2572-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3168-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2832-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/980-56-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4908-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2024-98-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\system32\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\system32\\installwin\\winini.exe restart"	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\SysWOW64\\installwin\\winini.exe restart"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}\StubPath = "C:\\Windows\\system32\\installwin\\winini.exe restart"	winini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56TJ2766-WHCI-AU8P-WOEA-DO2XS28YRVWU}	winini.exe

Checks computer location settings 2 TTPs 33 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winini.exe

Executes dropped EXE 64 IoCs

pid	Process
3964	winini.exe
3168	winini.exe
2732	winini.exe
2832	winini.exe
3872	winini.exe
4908	winini.exe
4708	winini.exe
4496	winini.exe
3740	winini.exe
4284	winini.exe
3004	winini.exe
2024	winini.exe
532	winini.exe
4344	winini.exe
4564	winini.exe
2868	winini.exe
3868	winini.exe
4468	winini.exe
4636	winini.exe
4532	winini.exe
3388	winini.exe
784	winini.exe
1424	winini.exe
2480	winini.exe
5028	winini.exe
5032	winini.exe
2448	winini.exe
468	winini.exe
4468	winini.exe
3136	winini.exe
3808	winini.exe
4692	winini.exe
5128	winini.exe
5180	winini.exe
5252	winini.exe
5304	winini.exe
5312	winini.exe
5320	winini.exe
5476	winini.exe
5516	winini.exe
5632	winini.exe
5664	winini.exe
5884	winini.exe
5932	winini.exe
6024	winini.exe
6056	winini.exe
5104	winini.exe
5028	winini.exe
5288	winini.exe
5336	winini.exe
5340	winini.exe
5536	winini.exe
5620	winini.exe
1960	winini.exe
5716	winini.exe
5904	winini.exe
5564	winini.exe
5412	winini.exe
5324	winini.exe
3428	winini.exe
852	winini.exe
5960	winini.exe
396	winini.exe
5128	winini.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\SysWOW64\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Users\\Admin\\AppData\\Roaming\\installwin\\winini.exe"	winini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winin = "C:\\Windows\\system32\\installwin\\winini.exe"	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File created	C:\Windows\SysWOW64\installwin\winini.exe	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe
File opened for modification	C:\Windows\SysWOW64\installwin\winini.exe	winini.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 3860 set thread context of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3964 set thread context of 3168	3964	winini.exe	97
PID 2732 set thread context of 2832	2732	winini.exe	108
PID 3872 set thread context of 4908	3872	winini.exe	120
PID 4708 set thread context of 4496	4708	winini.exe	140
PID 3740 set thread context of 4284	3740	winini.exe	144
PID 3004 set thread context of 2024	3004	winini.exe	156
PID 532 set thread context of 4344	532	winini.exe	170
PID 4564 set thread context of 3868	4564	winini.exe	178
PID 2868 set thread context of 4468	2868	winini.exe	180
PID 4636 set thread context of 4532	4636	winini.exe	190
PID 3388 set thread context of 784	3388	winini.exe	210
PID 1424 set thread context of 5028	1424	winini.exe	220
PID 2480 set thread context of 2448	2480	winini.exe	224
PID 5032 set thread context of 468	5032	winini.exe	227
PID 4468 set thread context of 3136	4468	winini.exe	238
PID 3808 set thread context of 4692	3808	winini.exe	259
PID 5180 set thread context of 5304	5180	winini.exe	272
PID 5128 set thread context of 5312	5128	winini.exe	273
PID 5252 set thread context of 5476	5252	winini.exe	280
PID 5320 set thread context of 5516	5320	winini.exe	282
PID 5632 set thread context of 5664	5632	winini.exe	289
PID 5884 set thread context of 5932	5884	winini.exe	314
PID 6024 set thread context of 6056	6024	winini.exe	323
PID 5104 set thread context of 5288	5104	winini.exe	336
PID 5028 set thread context of 5336	5028	winini.exe	337
PID 5340 set thread context of 5620	5340	winini.exe	346
PID 5536 set thread context of 1960	5536	winini.exe	347
PID 5716 set thread context of 5904	5716	winini.exe	354
PID 5564 set thread context of 5412	5564	winini.exe	379
PID 5324 set thread context of 852	5324	winini.exe	394
PID 3428 set thread context of 5960	3428	winini.exe	396
PID 396 set thread context of 3952	396	winini.exe	409
PID 5128 set thread context of 5476	5128	winini.exe	414
PID 5664 set thread context of 5620	5664	winini.exe	420
PID 5616 set thread context of 6168	5616	winini.exe	422
PID 6200 set thread context of 6288	6200	winini.exe	428
PID 6576 set thread context of 6616	6576	winini.exe	457
PID 6764 set thread context of 6888	6764	winini.exe	476

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2572-2-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2572-4-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2572-6-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2572-5-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2572-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3168-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3168-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2832-50-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2832-51-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/980-56-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4908-63-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4908-64-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2024-98-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winini.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	taskmgr.exe
Token: SeSystemProfilePrivilege	4136	taskmgr.exe
Token: SeCreateGlobalPrivilege	4136	taskmgr.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe
4136	taskmgr.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
3964	winini.exe
2732	winini.exe
3872	winini.exe
4708	winini.exe
3740	winini.exe
3004	winini.exe
532	winini.exe
4564	winini.exe
2868	winini.exe
4636	winini.exe
3388	winini.exe
1424	winini.exe
2480	winini.exe
5032	winini.exe
4468	winini.exe
3808	winini.exe
5128	winini.exe
5180	winini.exe
5252	winini.exe
5320	winini.exe
5632	winini.exe
5884	winini.exe
6024	winini.exe
5104	winini.exe
5028	winini.exe
5340	winini.exe
5536	winini.exe
5716	winini.exe
5564	winini.exe
5324	winini.exe
3428	winini.exe
396	winini.exe
5128	winini.exe
5664	winini.exe
5616	winini.exe
6200	winini.exe
6576	winini.exe
6764	winini.exe
6812	winini.exe
6848	winini.exe
7004	winini.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 3860 wrote to memory of 2572	3860	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	83
PID 2572 wrote to memory of 3516	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	84
PID 2572 wrote to memory of 3516	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	84
PID 2572 wrote to memory of 3516	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	84
PID 2572 wrote to memory of 2696	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	85
PID 2572 wrote to memory of 2696	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	85
PID 2572 wrote to memory of 2696	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	85
PID 2572 wrote to memory of 4932	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	86
PID 2572 wrote to memory of 4932	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	86
PID 2572 wrote to memory of 4932	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	86
PID 2572 wrote to memory of 2004	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	87
PID 2572 wrote to memory of 2004	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	87
PID 2572 wrote to memory of 2004	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	87
PID 2572 wrote to memory of 1884	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	88
PID 2572 wrote to memory of 1884	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	88
PID 2572 wrote to memory of 1884	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	88
PID 2572 wrote to memory of 2660	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	91
PID 2572 wrote to memory of 2660	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	91
PID 2572 wrote to memory of 2660	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	91
PID 2572 wrote to memory of 1808	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	92
PID 2572 wrote to memory of 1808	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	92
PID 2572 wrote to memory of 1808	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	92
PID 2572 wrote to memory of 1108	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	93
PID 2572 wrote to memory of 1108	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	93
PID 2572 wrote to memory of 1108	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	93
PID 2572 wrote to memory of 2708	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	95
PID 2572 wrote to memory of 2708	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	95
PID 2572 wrote to memory of 3964	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	96
PID 2572 wrote to memory of 3964	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	96
PID 2572 wrote to memory of 3964	2572	JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe	96
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3964 wrote to memory of 3168	3964	winini.exe	97
PID 3168 wrote to memory of 2428	3168	winini.exe	98
PID 3168 wrote to memory of 2428	3168	winini.exe	98
PID 3168 wrote to memory of 2428	3168	winini.exe	98
PID 3168 wrote to memory of 3272	3168	winini.exe	99
PID 3168 wrote to memory of 3272	3168	winini.exe	99
PID 3168 wrote to memory of 3272	3168	winini.exe	99
PID 3168 wrote to memory of 1048	3168	winini.exe	100
PID 3168 wrote to memory of 1048	3168	winini.exe	100
PID 3168 wrote to memory of 1048	3168	winini.exe	100
PID 3168 wrote to memory of 1272	3168	winini.exe	101
PID 3168 wrote to memory of 1272	3168	winini.exe	101
PID 3168 wrote to memory of 1272	3168	winini.exe	101
PID 3168 wrote to memory of 2584	3168	winini.exe	102
PID 3168 wrote to memory of 2584	3168	winini.exe	102
PID 3168 wrote to memory of 2584	3168	winini.exe	102
PID 3168 wrote to memory of 3540	3168	winini.exe	103
PID 3168 wrote to memory of 3540	3168	winini.exe	103
PID 3168 wrote to memory of 3540	3168	winini.exe	103
PID 3168 wrote to memory of 2016	3168	winini.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\installwin\winini.exe
    "C:\Windows\system32\installwin\winini.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\installwin\winini.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3000
    - - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
      - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5320
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:468
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5536
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        18⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5616
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:6972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        20⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        21⤵
        
        PID:6576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5252
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5340
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:2940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5664
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        18⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        19⤵
        
        PID:6660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5180
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5128
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        16⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        17⤵
        
        PID:6200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5128
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7004
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        15⤵
        
        PID:5884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6024
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5324
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6812
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        13⤵
        
        PID:7052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6848
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        11⤵
        
        PID:7072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        8⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6764
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:60
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\system32\installwin\winini.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5884
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:5976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:6048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:2852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5564
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:6220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:6364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:6428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        "C:\Windows\SysWOW64\installwin\winini.exe"
        21⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6576
        
        C:\Windows\SysWOW64\installwin\winini.exe
        
        22⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:6732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:7124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:6600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2908

C:\Users\Admin\AppData\Roaming\installwin\winini.exe
"C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004
- C:\Users\Admin\AppData\Roaming\installwin\winini.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1656
- - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
    "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4636
  - - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4140
    - - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4468
      - C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5632
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5716
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6200
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:6916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:7024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        "C:\Users\Admin\AppData\Roaming\installwin\winini.exe"
        13⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Roaming\installwin\winini.exe
        
        14⤵
        
        PID:6904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\b5aQyA.cfg

Filesize
1KB

MD5
9b5c1860e1f8e16a93fed1328792f8f0

SHA1
fa1b62433d039316a0aaeccd85b6a67ecac460aa

SHA256
914b7207e17f1ef7f13f34eddeb7b20d5c84be93947ee0d8472b1265ed6e77fe

SHA512
1dbf0a26e0881614f1abaa3b11a3252460cf59d97db5c41adbf7f5ccda57a56b3824cd993b8f63046fbeb6a8a82fb7c571fc6ed4754d955093f30775e40f8b78

Download Submit
C:\Windows\SysWOW64\installwin\winini.exe

Filesize
171KB

MD5
1227b76e0d09be1a3189f997f0096e3d

SHA1
d1fa42ace2868175e1d7f8d026caab4e8c09bfb1

SHA256
a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b

SHA512
08ad3059abf619b7175c65644b8adc5c1ce00a4800b703b9d9bbe52032d3a756c1abe9f35f1c533c820c9ab61a41962b6128b9edcdd0d9dd2e424dea10357b19

Download Submit
memory/980-56-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2024-98-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2572-5-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2572-6-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2572-2-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2572-4-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2572-33-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2832-51-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/2832-50-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3168-39-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3168-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4136-11-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-19-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-20-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-21-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-22-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-16-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-17-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-18-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-12-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4136-10-0x000002E8609E0000-0x000002E8609E1000-memory.dmp

Filesize
4KB

Download
memory/4908-63-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4908-64-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download