xtremerat | 30c217930b807be8186a24a3e4d1b66f418e3e9652b3991486d21fdfbfe9020c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perx Injector (x1nject) Remake and Updated.exe
Size

351KB
MD5

6850df03b1fb664f27b920ee096b6ea0
SHA1

a75decb81cd2fb6a1b553b27abb84f61ffed588f
SHA256

e2d8a3a1be1ad78f29f691b20d783b25049d37ccb138002f32e3d74b4e7b2681
SHA512

d30e5c5c91b3eab309afdbedd43b682466472304ac40e725b42dc528053b91b841513f5816dd2d95b514233ee871bacc0890c405a79a2129cef4f16681314df3
SSDEEP

6144:UFw8wzBhaEUJ45mHm3pvr27NabMngLbljkt1E0OTcUtqZ8na29Rd97BSX5Ep:UFszBhqS5mwvezgLZkE0Oo2q+a8zna5I

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 57 IoCs

resource	yara_rule
behavioral1/memory/2792-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/860-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1808-57-0x0000000000260000-0x0000000000276000-memory.dmp	family_xtremerat
behavioral1/memory/568-71-0x0000000000230000-0x0000000000246000-memory.dmp	family_xtremerat
behavioral1/memory/2872-70-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/568-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2872-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1316-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1316-93-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1888-127-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1748-129-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2820-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1604-126-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1888-137-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1748-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1352-143-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2820-144-0x0000000000230000-0x0000000000246000-memory.dmp	family_xtremerat
behavioral1/memory/2252-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2820-147-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2252-156-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1604-157-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1604-162-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2984-165-0x0000000000020000-0x0000000000036000-memory.dmp	family_xtremerat
behavioral1/memory/328-164-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/328-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/632-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2644-183-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2620-186-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2984-190-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2632-185-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/656-196-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/264-195-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2644-203-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2632-206-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3056-210-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2984-212-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/264-220-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2472-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1556-225-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/632-228-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/656-232-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2284-237-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1556-242-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2500-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/592-282-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/944-283-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2732-278-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3036-268-0x00000000001F0000-0x0000000000206000-memory.dmp	family_xtremerat
behavioral1/memory/2764-267-0x0000000000260000-0x0000000000276000-memory.dmp	family_xtremerat
behavioral1/memory/960-265-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2284-281-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2832-277-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2772-274-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2544-310-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1456-453-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2900-481-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/3032-514-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe

Executes dropped EXE 64 IoCs

pid	Process
1428	install.exe
860	services.exe
2872	java.exe
1808	install.exe
3052	install.exe
1316	services.exe
568	services.exe
2820	java.exe
2252	java.exe
1012	install.exe
1664	install.exe
2816	install.exe
2520	install.exe
1604	services.exe
1888	services.exe
1352	services.exe
1748	services.exe
328	java.exe
632	java.exe
2984	java.exe
2852	install.exe
2648	install.exe
2864	install.exe
2172	install.exe
2912	install.exe
2760	install.exe
2740	install.exe
2016	install.exe
1556	services.exe
2644	services.exe
2632	services.exe
2620	services.exe
3056	services.exe
264	services.exe
656	services.exe
2472	services.exe
2284	java.exe
2500	java.exe
352	java.exe
2420	install.exe
2076	services.exe
1752	install.exe
3032	install.exe
960	services.exe
2764	install.exe
3036	install.exe
1772	install.exe
2768	install.exe
1428	services.exe
1584	install.exe
2772	services.exe
2832	services.exe
2732	services.exe
592	services.exe
944	services.exe
2544	java.exe
568	install.exe
532	services.exe
1340	java.exe
2524	java.exe
1796	services.exe
1408	services.exe
1456	java.exe
2912	install.exe

Loads dropped DLL 64 IoCs

pid	Process
2004	Perx Injector (x1nject) Remake and Updated.exe
1428	install.exe
1428	install.exe
1428	install.exe
1428	install.exe
1428	install.exe
860	services.exe
860	services.exe
860	services.exe
860	services.exe
860	services.exe
2872	java.exe
2872	java.exe
2872	java.exe
1980	Perx Injector (x1nject) Remake and Updated.exe
1980	Perx Injector (x1nject) Remake and Updated.exe
1808	install.exe
1808	install.exe
1808	install.exe
1808	install.exe
3052	install.exe
3052	install.exe
3052	install.exe
1316	services.exe
1316	services.exe
3052	install.exe
568	services.exe
568	services.exe
2872	java.exe
2820	java.exe
2820	java.exe
2820	java.exe
2792	svchost.exe
2792	svchost.exe
2252	java.exe
2252	java.exe
2904	Perx Injector (x1nject) Remake and Updated.exe
1012	install.exe
1012	install.exe
2904	Perx Injector (x1nject) Remake and Updated.exe
704	Perx Injector (x1nject) Remake and Updated.exe
1664	install.exe
1664	install.exe
704	Perx Injector (x1nject) Remake and Updated.exe
2520	install.exe
2520	install.exe
2816	install.exe
2816	install.exe
1012	install.exe
2520	install.exe
1012	install.exe
2520	install.exe
1664	install.exe
2816	install.exe
1664	install.exe
2816	install.exe
1888	services.exe
1888	services.exe
1604	services.exe
1604	services.exe
1352	services.exe
1352	services.exe
1748	services.exe
1748	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016c9d-17.dat	upx
behavioral1/memory/1428-18-0x0000000000260000-0x0000000000276000-memory.dmp	upx
behavioral1/memory/860-25-0x00000000001C0000-0x00000000001D6000-memory.dmp	upx
behavioral1/memory/2792-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/860-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1316-58-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2872-70-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/568-77-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2872-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1316-80-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1316-93-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2252-100-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1352-128-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1888-127-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1748-129-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2820-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1604-126-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1888-137-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1748-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1352-143-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2820-144-0x0000000000230000-0x0000000000246000-memory.dmp	upx
behavioral1/memory/2252-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/328-151-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2820-147-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2252-156-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1604-157-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1604-162-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2984-163-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/328-164-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/328-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/632-170-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2644-183-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2620-186-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2984-190-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2632-185-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/656-196-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/264-195-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2644-203-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2632-206-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3056-210-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2984-212-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/264-220-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2472-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1556-225-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/632-228-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/656-232-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2284-237-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1556-242-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2500-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/592-282-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/944-283-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2732-278-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/960-265-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2284-281-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2832-277-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2772-274-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2544-310-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1456-453-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2900-481-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/3032-514-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	java.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	java.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	java.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2392	Perx Injector (x1nject) Remake and Updated.exe
980	Perx Injector (x1nject) Remake and Updated.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2004	Perx Injector (x1nject) Remake and Updated.exe
Token: SeRestorePrivilege	2004	Perx Injector (x1nject) Remake and Updated.exe
Token: SeRestorePrivilege	860	services.exe
Token: SeBackupPrivilege	860	services.exe
Token: SeRestorePrivilege	2872	java.exe
Token: SeBackupPrivilege	2872	java.exe
Token: SeRestorePrivilege	2820	java.exe
Token: SeBackupPrivilege	2820	java.exe
Token: SeRestorePrivilege	328	java.exe
Token: SeBackupPrivilege	328	java.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1428	install.exe
1808	install.exe
3052	install.exe
1012	install.exe
2520	install.exe
2816	install.exe
1664	install.exe
2852	install.exe
2172	install.exe
2912	install.exe
2648	install.exe
2864	install.exe
2760	install.exe
2016	install.exe
2740	install.exe
2420	install.exe
3032	install.exe
1752	install.exe
2764	install.exe
1772	install.exe
3036	install.exe
2768	install.exe
1584	install.exe
568	install.exe
2912	install.exe
2844	install.exe
1308	install.exe
1244	install.exe
2624	install.exe
568	install.exe
1624	install.exe
1584	install.exe
2172	install.exe
2764	install.exe
2688	install.exe
2936	install.exe
1560	install.exe
2420	install.exe
1316	install.exe
1836	install.exe
3052	install.exe
2420	install.exe
1772	install.exe
1760	install.exe
2776	install.exe
3084	install.exe
3076	install.exe
3112	install.exe
1456	install.exe
3132	install.exe
3232	install.exe
3216	install.exe
3304	install.exe
3252	install.exe
3484	install.exe
3588	install.exe
3544	install.exe
3632	install.exe
3596	install.exe
3928	install.exe
3848	install.exe
3860	install.exe
3948	install.exe
3980	install.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 2004 wrote to memory of 1428	2004	Perx Injector (x1nject) Remake and Updated.exe	31
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 1428 wrote to memory of 860	1428	install.exe	32
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2792	860	services.exe	33
PID 860 wrote to memory of 2720	860	services.exe	34
PID 860 wrote to memory of 2720	860	services.exe	34
PID 860 wrote to memory of 2720	860	services.exe	34
PID 860 wrote to memory of 2720	860	services.exe	34
PID 860 wrote to memory of 2720	860	services.exe	34
PID 860 wrote to memory of 2692	860	services.exe	35
PID 860 wrote to memory of 2692	860	services.exe	35
PID 860 wrote to memory of 2692	860	services.exe	35
PID 860 wrote to memory of 2692	860	services.exe	35
PID 860 wrote to memory of 2692	860	services.exe	35
PID 860 wrote to memory of 2400	860	services.exe	36
PID 860 wrote to memory of 2400	860	services.exe	36
PID 860 wrote to memory of 2400	860	services.exe	36
PID 860 wrote to memory of 2400	860	services.exe	36
PID 860 wrote to memory of 2400	860	services.exe	36
PID 860 wrote to memory of 2876	860	services.exe	37
PID 860 wrote to memory of 2876	860	services.exe	37
PID 860 wrote to memory of 2876	860	services.exe	37
PID 860 wrote to memory of 2876	860	services.exe	37
PID 860 wrote to memory of 2876	860	services.exe	37
PID 860 wrote to memory of 2684	860	services.exe	38
PID 860 wrote to memory of 2684	860	services.exe	38
PID 860 wrote to memory of 2684	860	services.exe	38
PID 860 wrote to memory of 2684	860	services.exe	38
PID 860 wrote to memory of 2684	860	services.exe	38
PID 860 wrote to memory of 2880	860	services.exe	39
PID 860 wrote to memory of 2880	860	services.exe	39
PID 860 wrote to memory of 2880	860	services.exe	39
PID 860 wrote to memory of 2880	860	services.exe	39
PID 860 wrote to memory of 2880	860	services.exe	39
PID 860 wrote to memory of 2160	860	services.exe	40
PID 860 wrote to memory of 2160	860	services.exe	40
PID 860 wrote to memory of 2160	860	services.exe	40
PID 860 wrote to memory of 2160	860	services.exe	40
PID 860 wrote to memory of 2160	860	services.exe	40
PID 860 wrote to memory of 2604	860	services.exe	41
PID 860 wrote to memory of 2604	860	services.exe	41
PID 860 wrote to memory of 2604	860	services.exe	41
PID 860 wrote to memory of 2604	860	services.exe	41
PID 860 wrote to memory of 2872	860	services.exe	42
PID 860 wrote to memory of 2872	860	services.exe	42
PID 860 wrote to memory of 2872	860	services.exe	42

C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
"C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    services.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      PID:2792
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3068
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1124
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2664
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1724
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Executes dropped EXE
        
        PID:2544
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2696
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1880
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2476
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2820
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2304
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        
        PID:2320
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3156
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3964
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1316
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:880
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3740
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1716
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Adds Run key to start application
        
        PID:1300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3916
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3632
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3940
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1760
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4196
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4536
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4892
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5048
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1892
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3400
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4276
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Adds Run key to start application
        
        PID:4288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4588
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4648
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4228
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4528
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4664
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4984
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:4996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        
        PID:4336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4680
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Adds Run key to start application
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5068
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4964
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4252
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5112
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4628
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5128
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4384
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5136
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5348
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5176
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        
        PID:5216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5476
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:5488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5784
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5932
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5528
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5860
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6092
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5628
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5012
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5832
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5740
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5824
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5104
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5868
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3952
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5100
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5952
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:5808
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:5888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6188
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Adds Run key to start application
        
        PID:6208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6496
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6712
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1968
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5880
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6156
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6256
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6572
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        
        PID:6592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6720
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        
        PID:6320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6564
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Adds Run key to start application
        
        PID:6660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2720
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2400
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2604
  - - C:\Program Files (x86)\jre6\java.exe
      "C:\Program Files (x86)\jre6\java.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2580
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1004
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2324
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:896
- - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
    "Perx Injector (x1nject) Remake and Updated.exe"
    3⤵
    - Loads dropped DLL
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:1316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3340
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        16⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Drops file in Program Files directory
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3644
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        14⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3388
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        15⤵
        Adds Run key to start application
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2848
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        16⤵
        
        PID:3932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Program Files directory
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:568
    - - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:704
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Program Files directory
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Drops file in Program Files directory
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        12⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        14⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        15⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        15⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
16KB

MD5
f1906521a2ae34bb05cb058a6d1d16e9

SHA1
ec6dfbdb2097ac48de5ef4126b787141159db121

SHA256
4f838fc46bef6f978d8890b26dc7370f61c59bfb979ee189e745d498356272e3

SHA512
cba28ba2970b4e4d99d1c18096f60913299d7a1a191dfa1c841199536acdffa561a78b6240a2d62ea2f0430d065e3a89057a901878a8a23593e06d8855d43fc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
9009da1fcd6eee7bbd8b336364208a5f

SHA1
ac58ba38ebe6e24ee111e894823194ff69e8353b

SHA256
663b034709fb6c27a5cc1bcbcbe895349d1467a3b8a64cecce00bb0096f9e2dc

SHA512
049458d9dc689a6e3fb45552c96d3b0362643c8c88a8f8ba1eebb85d7f2a0c1382f33561b14b5bb9e081015cd1f64e0e4dac56eef8eb3594a10224d3218cb5a6

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
21KB

MD5
cd114b946e262e2f42b44be5988983a5

SHA1
4d26206a2131c30f29820fee114967de991357ae

SHA256
b89534c4b6bd5ea0bdb075d23cf5cbb142bef93d112328963fea3aedf0c84a7a

SHA512
ebc6632a4d8d0e38dbf1b4b72113c6acc3ff439bc83443a5084de4faff4599dd4d72ca5a6bdc96d2c33b17186a9c211b30436760050130e069408f81d4ccabdc

Download Submit
memory/264-195-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/264-220-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/328-169-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/328-164-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/328-166-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/328-151-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/352-239-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/568-77-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/568-71-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/592-282-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/632-158-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/632-170-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/632-224-0x0000000002D10000-0x0000000002D26000-memory.dmp

Filesize
88KB

Download
memory/632-228-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/656-196-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/656-232-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/860-37-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/860-25-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/860-26-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/944-283-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/960-265-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/960-266-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1012-125-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/1316-58-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1316-80-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1316-65-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1316-89-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1316-64-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1316-93-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1352-128-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1352-143-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1428-269-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1428-39-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1428-18-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1456-453-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1556-242-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1556-238-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/1556-184-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1556-225-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1584-279-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/1604-126-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1604-157-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1604-162-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1748-141-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1748-129-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1808-79-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1808-57-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1888-137-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1888-127-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2076-250-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2252-100-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2252-150-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2252-102-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2252-152-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2252-101-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2252-149-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2252-156-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2284-237-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2284-281-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2284-226-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2420-247-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2472-218-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2500-249-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2500-234-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2500-248-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2544-310-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2620-186-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2632-206-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2632-185-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2644-203-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2644-183-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2648-180-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2648-197-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2732-278-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2760-192-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2764-267-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2772-274-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2792-32-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2792-233-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/2792-240-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/2792-148-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/2792-98-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/2820-87-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2820-145-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2820-147-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2820-130-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2820-144-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2820-88-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2832-277-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2872-83-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2872-70-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2900-481-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2912-179-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/2984-163-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2984-190-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2984-212-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2984-165-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/3032-264-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/3032-263-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/3032-514-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3036-268-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/3056-210-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads