xtremerat | 261e2670c76edb0f4e643a2be845d06a755161ec93b6cd9d525edc6dcf76570a

Analysis

max time kernel
126s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
Size

432KB
MD5

7aa59f694554f7383d005497687a3b5f
SHA1

7d31ecc2bfd70937e553c15a1b171be37cfb42b9
SHA256

261e2670c76edb0f4e643a2be845d06a755161ec93b6cd9d525edc6dcf76570a
SHA512

f10ca5be1bf76da4bdd117d6b39e8ed40ccfaa2fee31d7177b890cb07eb48bed7b6a75fabbeafaa9137ab6816024ac612cc5258806cda9ce64c082df8c492acf
SSDEEP

12288:y2u4sum+hlTEqUZoYX+KdC3R+kFifVucd0tB0GI:GKmGlTEZo8eRpFifMVY

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2780-58-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-57-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-54-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-53-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-60-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-52-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-51-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2780-50-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/1144-68-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BO81F3DC-JY77-H7FP-G7TT-Y8074W70U13I}\StubPath = "C:\\Windows\\SysWOW64\\system86\\winsys.exe restart"	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2648	winsys.exe
3056	winsys.exe
1964	winsys.exe
2352	winsys.exe
2088	winsys.exe
2456	winsys.exe
2016	winsys.exe
2008	winsys.exe
1080	winsys.exe
2904	winsys.exe
2732	winsys.exe
1928	winsys.exe
896	winsys.exe
2508	winsys.exe
948	winsys.exe
1864	winsys.exe
1380	winsys.exe
1980	winsys.exe
2256	winsys.exe
2912	winsys.exe
2708	winsys.exe
1640	winsys.exe
2948	winsys.exe
1768	winsys.exe
2088	winsys.exe
940	winsys.exe
1564	winsys.exe
3048	winsys.exe
3032	winsys.exe
1164	winsys.exe
2708	winsys.exe
1844	winsys.exe
2380	winsys.exe
2812	winsys.exe
2900	winsys.exe
2424	winsys.exe
2908	winsys.exe
2560	winsys.exe
972	winsys.exe
2968	winsys.exe
2320	winsys.exe
1692	winsys.exe
2908	winsys.exe
3032	winsys.exe
2364	winsys.exe
2932	winsys.exe
3112	winsys.exe
3184	winsys.exe
3336	winsys.exe
3444	winsys.exe
3524	winsys.exe
3540	winsys.exe
3640	winsys.exe
3828	winsys.exe
1692	winsys.exe
1080	winsys.exe
3084	winsys.exe
3384	winsys.exe
3032	winsys.exe
3548	winsys.exe
3724	winsys.exe
3524	winsys.exe
3916	winsys.exe
2672	winsys.exe

Loads dropped DLL 53 IoCs

pid	Process
2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
1144	svchost.exe
1144	svchost.exe
3056	winsys.exe
3056	winsys.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
896	winsys.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1564	winsys.exe
1144	svchost.exe
1144	svchost.exe
1164	winsys.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe
1144	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Windows\\SysWOW64\\system86\\winsys.exe"	winsys.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File created	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File created	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File created	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	winsys.exe
File opened for modification	C:\Windows\SysWOW64\system86\winsys.exe	Process not Found

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 2648 set thread context of 3056	2648	winsys.exe	40
PID 1964 set thread context of 2088	1964	winsys.exe	51
PID 2352 set thread context of 2456	2352	winsys.exe	53
PID 2016 set thread context of 1080	2016	winsys.exe	64
PID 2008 set thread context of 2904	2008	winsys.exe	65
PID 2732 set thread context of 896	2732	winsys.exe	80
PID 1928 set thread context of 2508	1928	winsys.exe	81
PID 948 set thread context of 1380	948	winsys.exe	93
PID 1864 set thread context of 1980	1864	winsys.exe	94
PID 2256 set thread context of 2708	2256	winsys.exe	113
PID 2912 set thread context of 1640	2912	winsys.exe	116
PID 2948 set thread context of 1768	2948	winsys.exe	117
PID 2088 set thread context of 1564	2088	winsys.exe	141
PID 940 set thread context of 3048	940	winsys.exe	142
PID 3032 set thread context of 1164	3032	winsys.exe	146
PID 2708 set thread context of 1844	2708	winsys.exe	168
PID 2380 set thread context of 2812	2380	winsys.exe	171
PID 2900 set thread context of 2424	2900	winsys.exe	173
PID 2908 set thread context of 972	2908	winsys.exe	199
PID 2560 set thread context of 2968	2560	winsys.exe	200
PID 2320 set thread context of 2908	2320	winsys.exe	205
PID 1692 set thread context of 3032	1692	winsys.exe	206
PID 2364 set thread context of 3112	2364	winsys.exe	237
PID 2932 set thread context of 3184	2932	winsys.exe	238
PID 3336 set thread context of 3444	3336	winsys.exe	244
PID 3524 set thread context of 3640	3524	winsys.exe	247
PID 3540 set thread context of 3828	3540	winsys.exe	249
PID 1692 set thread context of 3084	1692	winsys.exe	286
PID 1080 set thread context of 3384	1080	winsys.exe	287
PID 3032 set thread context of 3724	3032	winsys.exe	295
PID 3548 set thread context of 3524	3548	winsys.exe	296
PID 3916 set thread context of 2672	3916	winsys.exe	298
PID 3236 set thread context of 3412	3236	winsys.exe	305
PID 3768 set thread context of 3208	3768	winsys.exe	345
PID 3780 set thread context of 3076	3780	winsys.exe	344
PID 3852 set thread context of 3364	3852	winsys.exe	353
PID 3460 set thread context of 2452	3460	winsys.exe	355
PID 3216 set thread context of 3388	3216	winsys.exe	361
PID 1372 set thread context of 1692	1372	winsys.exe	365
PID 3792 set thread context of 1660	3792	winsys.exe	368
PID 3504 set thread context of 4156	3504	winsys.exe	410
PID 4284 set thread context of 4396	4284	winsys.exe	416
PID 4404 set thread context of 4596	4404	winsys.exe	420
PID 4568 set thread context of 4792	4568	winsys.exe	423
PID 4912 set thread context of 5040	4912	winsys.exe	427
PID 4112 set thread context of 4188	4112	winsys.exe	432
PID 4328 set thread context of 4452	4328	winsys.exe	435
PID 3904 set thread context of 5032	3904	winsys.exe	478
PID 1736 set thread context of 4264	1736	winsys.exe	485
PID 3784 set thread context of 4428	3784	winsys.exe	487
PID 4220 set thread context of 4980	4220	winsys.exe	489
PID 4908 set thread context of 4216	4908	winsys.exe	493
PID 4464 set thread context of 4224	4464	winsys.exe	501
PID 3728 set thread context of 5016	3728	winsys.exe	504
PID 3524 set thread context of 4984	3524	winsys.exe	546
PID 5080 set thread context of 5104	5080	winsys.exe	549
PID 2452 set thread context of 4992	2452	winsys.exe	553
PID 5052 set thread context of 5032	5052	winsys.exe	555
PID 3820 set thread context of 4216	3820	winsys.exe	566
PID 4952 set thread context of 5100	4952	winsys.exe	568
PID 4148 set thread context of 4596	4148	winsys.exe	572
PID 5352 set thread context of 5548	5352	winsys.exe	615
PID 5340 set thread context of 5620	5340	winsys.exe	616

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsys.exe

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	Process not Found
File created	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	winsys.exe
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found
File opened for modification	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF	Process not Found

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
2648	winsys.exe
1964	winsys.exe
2352	winsys.exe
2016	winsys.exe
2008	winsys.exe
2732	winsys.exe
1928	winsys.exe
948	winsys.exe
1864	winsys.exe
2256	winsys.exe
2912	winsys.exe
2948	winsys.exe
2088	winsys.exe
940	winsys.exe
3032	winsys.exe
2708	winsys.exe
2380	winsys.exe
2900	winsys.exe
2908	winsys.exe
2560	winsys.exe
2320	winsys.exe
1692	winsys.exe
2364	winsys.exe
2932	winsys.exe
3336	winsys.exe
3524	winsys.exe
3540	winsys.exe
1692	winsys.exe
1080	winsys.exe
3032	winsys.exe
3548	winsys.exe
3916	winsys.exe
3236	winsys.exe
3780	winsys.exe
3768	winsys.exe
3852	winsys.exe
3460	winsys.exe
3216	winsys.exe
1372	winsys.exe
3792	winsys.exe
3504	winsys.exe
4284	winsys.exe
4404	winsys.exe
4568	winsys.exe
4912	winsys.exe
4112	winsys.exe
4328	winsys.exe
3904	winsys.exe
1736	winsys.exe
3784	winsys.exe
4220	winsys.exe
4908	winsys.exe
4464	winsys.exe
3728	winsys.exe
3524	winsys.exe
5080	winsys.exe
2452	winsys.exe
5052	winsys.exe
3820	winsys.exe
4952	winsys.exe
4148	winsys.exe
5352	winsys.exe
5340	winsys.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 796 wrote to memory of 2780	796	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	29
PID 2780 wrote to memory of 1144	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	30
PID 2780 wrote to memory of 1144	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	30
PID 2780 wrote to memory of 1144	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	30
PID 2780 wrote to memory of 1144	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	30
PID 2780 wrote to memory of 1144	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	30
PID 2780 wrote to memory of 2660	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	31
PID 2780 wrote to memory of 2660	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	31
PID 2780 wrote to memory of 2660	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	31
PID 2780 wrote to memory of 2660	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	31
PID 2780 wrote to memory of 2660	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	31
PID 2780 wrote to memory of 2736	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	32
PID 2780 wrote to memory of 2736	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	32
PID 2780 wrote to memory of 2736	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	32
PID 2780 wrote to memory of 2736	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	32
PID 2780 wrote to memory of 2736	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	32
PID 2780 wrote to memory of 2264	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	33
PID 2780 wrote to memory of 2264	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	33
PID 2780 wrote to memory of 2264	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	33
PID 2780 wrote to memory of 2264	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	33
PID 2780 wrote to memory of 2264	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	33
PID 2780 wrote to memory of 2492	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	34
PID 2780 wrote to memory of 2492	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	34
PID 2780 wrote to memory of 2492	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	34
PID 2780 wrote to memory of 2492	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	34
PID 2780 wrote to memory of 2492	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	34
PID 2780 wrote to memory of 2888	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	35
PID 2780 wrote to memory of 2888	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	35
PID 2780 wrote to memory of 2888	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	35
PID 2780 wrote to memory of 2888	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	35
PID 2780 wrote to memory of 2888	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	35
PID 2780 wrote to memory of 2156	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	36
PID 2780 wrote to memory of 2156	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	36
PID 2780 wrote to memory of 2156	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	36
PID 2780 wrote to memory of 2156	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	36
PID 2780 wrote to memory of 2156	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	36
PID 2780 wrote to memory of 2296	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	37
PID 2780 wrote to memory of 2296	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	37
PID 2780 wrote to memory of 2296	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	37
PID 2780 wrote to memory of 2296	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	37
PID 2780 wrote to memory of 2296	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	37
PID 2780 wrote to memory of 692	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	38
PID 2780 wrote to memory of 692	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	38
PID 2780 wrote to memory of 692	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	38
PID 2780 wrote to memory of 692	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	38
PID 2780 wrote to memory of 2648	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	39
PID 2780 wrote to memory of 2648	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	39
PID 2780 wrote to memory of 2648	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	39
PID 2780 wrote to memory of 2648	2780	JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe	39
PID 2648 wrote to memory of 3056	2648	winsys.exe	40
PID 2648 wrote to memory of 3056	2648	winsys.exe	40
PID 2648 wrote to memory of 3056	2648	winsys.exe	40
PID 2648 wrote to memory of 3056	2648	winsys.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe"
1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aa59f694554f7383d005497687a3b5f.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Loads dropped DLL
    PID:1144
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1964
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2524
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1540
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        11⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2008
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        
        PID:2904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:1928
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2192
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:948
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        
        PID:1380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        15⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        18⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        20⤵
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        21⤵
        Drops file in System32 directory
        
        PID:4156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        22⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        23⤵
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        26⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5340
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        27⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:6124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:3820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        28⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        29⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        30⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        31⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:5428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        32⤵
        NTFS ADS
        
        PID:6200
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        33⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:8116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        34⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        34⤵
        NTFS ADS
        
        PID:7580
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        35⤵
        
        PID:7836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:7612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:7572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:7992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:7556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:8152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:8132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        36⤵
        
        PID:8124
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2948
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        
        PID:1768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2172
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3032
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:948
      - C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        15⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:2188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        22⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        23⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        24⤵
        NTFS ADS
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        25⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        27⤵
        
        PID:6344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:6508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:6912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:6588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        28⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        29⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:7892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:8100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:7916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:6516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:7224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:1108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        30⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        30⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        31⤵
        
        PID:7696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:8180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:7800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        32⤵
        
        PID:6928
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:2380
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2392
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:976
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3788
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1692
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2816
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3344
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4284
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        15⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        16⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        17⤵
        
        PID:5104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5352
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        19⤵
        
        PID:5548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        20⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        21⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:3784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        22⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        23⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        24⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        25⤵
        Adds Run key to start application
        
        PID:7492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:5972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        26⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        27⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:8004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:8032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:8104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        28⤵
        
        PID:7976
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:3540
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4060
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Adds Run key to start application
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        16⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:5716
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        17⤵
        
        PID:5840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        18⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:5996
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        19⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:5788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        21⤵
        
        PID:6928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:7000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        22⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        23⤵
        Adds Run key to start application
        
        PID:6292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:7280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        24⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        24⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        25⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:8088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:6484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        26⤵
        
        PID:7600
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3236
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2900
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4912
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        
        PID:5040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:3792
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Adds Run key to start application
        
        PID:1660
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3076
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Drops file in System32 directory
        
        PID:4224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        Suspicious use of SetThreadContext
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        14⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6392
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        16⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:6828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        18⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        19⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:8120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:6208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        20⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        20⤵
        NTFS ADS
        
        PID:6968
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:8048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:7824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:7716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:7796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:8156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        22⤵
        
        PID:6992
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4328
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4844
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3728
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4556
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3932
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Adds Run key to start application
        
        PID:5648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6748
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        NTFS ADS
        
        PID:5468
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        
        PID:6968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:7932
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:6484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:6980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:8144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        16⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:7552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:8172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:7440
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:4148
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5236
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5848
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6868
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      NTFS ADS
      PID:5864
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6756
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:6904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        NTFS ADS
        
        PID:5996
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6932
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        10⤵
        NTFS ADS
        
        PID:7224
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:7328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:8108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:6576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        12⤵
        NTFS ADS
        
        PID:7796
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        13⤵
        
        PID:7616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:6200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:7636
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      PID:6992
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        
        PID:5100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7116
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6764
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        NTFS ADS
        
        PID:6516
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        
        PID:6212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7028
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      PID:6200
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7644
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6344
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        
        PID:7840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8188
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        8⤵
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:8092
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:8060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:7368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:6892
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      PID:8028
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        
        PID:7944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7232
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:6880
      - C:\Windows\SysWOW64\system86\winsys.exe
        
        "C:\Windows\SysWOW64\system86\winsys.exe"
        6⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\system86\winsys.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:6584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:7704
  - - C:\Windows\SysWOW64\system86\winsys.exe
      "C:\Windows\system32\system86\winsys.exe"
      4⤵
      PID:8176
    - - C:\Windows\SysWOW64\system86\winsys.exe
        
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:7328
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2660
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2736
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2264
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2492
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2888
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2156
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2296
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\system86\winsys.exe
    "C:\Windows\system32\system86\winsys.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\system86\winsys.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:3056
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2512
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2472
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1216
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:540
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2964
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        "C:\Users\Admin\AppData\Roaming\system86\winsys.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2352
      - C:\Users\Admin\AppData\Roaming\system86\winsys.exe
        
        6⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF

Filesize
971B

MD5
869c3d7c0cd179f84534ccc71f30b197

SHA1
5e6c59249c7e5b0efefd3bbc0354edacbb337da3

SHA256
d17a098a228ef6e6d97baea93767a7dfaefd81eca7d7091c5f6942946f82caa3

SHA512
1cf3fa1bd88a0488d4e633a0905ed11b4c8da953a52d00537b958596631bedc94d319b8638b44e03aac2b6d62c2f6ca27ea15f4bcbb52f3552fc99886dfe1d3f

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF

Filesize
971B

MD5
600742bdf6ea29122d9675974a4c3a19

SHA1
f3fd50150eb5310a77dde68201fb1d5aacb31e70

SHA256
de6bf836273d86d51bd619c1ccd669d7d872ce506b36929ab94e2915808658d3

SHA512
53ef4ce7a1a32c420be613f5718c8d108243a3f5df7effd7fda77f287dc8fbfb56c37ee3d5de8569bb7bc1477db3fdc3d64e5ef21fead56845f56d0624badb90

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BF1646XBHV2FJW016YRF47TPBJNGFSVF7VB4VP4GF

Filesize
971B

MD5
72b7487c40764c6807276c00221b2796

SHA1
90dd4f642187fc76f3741a8570c04013e82f1268

SHA256
0692ece6211fd1fdeca41e8531acb1e6d3505ea8ba6b5e0d114075610e47f2cd

SHA512
911bc23c7be5cb4d3580930b77b859296c82ae871f2fddff034ec7cfd312002eb757578d34ae46b9c957c1fa2e7dfd9ee9bac8d88ac87be2b9644ae03956279e

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\app.dat

Filesize
971B

MD5
bc927f9c98623eb2f1beefde02085316

SHA1
1421822873d453d24f874a10d7d1293f463b7f39

SHA256
3fc2933b01a45913d9599df921784bbc85ff754b265b289a24e15e5a5fdf4717

SHA512
bf1ba87f836d7e2f8b2d30eecf9052959395d7d94493e4a5e66f24c0f3ea4ea529b3da03be2024c86d3479310130d7f6421c13aa45ecaa5929d070c2c082782e

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\app.dat

Filesize
971B

MD5
2facd573e47c2c10dc5aedfb5f67986e

SHA1
73531459532e5e0c6e31b9bddef484becde2b8fa

SHA256
f660696d1e4923bb95efd854efac898bebd528f714d83874dc97b7546313805b

SHA512
bfae81b7c8571e7472e2196fd757efaccb82b011727a120d5dea1778772d2f87a2065a7b6a2d64d2332cac9b38530742fae008b8ab24dadac089fd0ba34719e7

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\updates.dat

Filesize
971B

MD5
1672edcaa69fcd6696d210fc27d84760

SHA1
237db715a17c381a2380a34b9f8f7c487745d12e

SHA256
f03b737036e9bd0994ccf00e196a9e13906a60bdeae5fbe39cfb5d84928c78d8

SHA512
ec640b23882c32ee0cd76b6aafa9c5e65bbf65a15d9a8ed2ae95364a2f1c40bce3202cafa7adebda9f39d69f299fb9aee86a3683ce1b67664bddb49d4982371c

Download Submit
C:\ProgramData\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\updates.dat

Filesize
971B

MD5
1175e336e26386f6a79d83946bfba605

SHA1
83017e88dd1eac46ed350f633757ec254124ffee

SHA256
3089e341a9f28ff99f1d5c313d5d9aa1ea67687d3b5827fa60cbb4d2986e92a2

SHA512
13ec7df0bf5617983a196bdeb31f300be55345d88dd30c4b8a54cd2508d71c7273b34cdf93780f45252af62048ff7085eacae6a5ae3f83780f4a967912214ca5

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\dya.dat

Filesize
971B

MD5
954c62ee6376d7502831ae39831caadc

SHA1
75860379a9f0ae31e3b21fc9fc839f3f534c792b

SHA256
1d7e0004629ce379e7c39f3416111cede15f1badb5d232dad40c56371f647ef7

SHA512
d8dbd31c6c4e09035a88e1ceea90d54a37c8472b955c1db9fc06fd0bc0c1712c2047060d1aabc5f34205015de8e081dea536bcdb3ab4bfb56679c6281c98d1af

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_AOTCDGIILGPMOMALC\1.0.0\Data\dya.dat

Filesize
971B

MD5
724ec000816b0c821ced92e59ef42eff

SHA1
f88e27d1a891e4b457eae35d9d43db485d6df500

SHA256
ad20b7c10fef7a02881d2717e4dbeedc7295febb584a847def4c2c548ee2f399

SHA512
366a2b60bdc8035fd42865fe52856df5381167d5fd388493e454940e67d119b1ade83baf747cc34d4db26a49780277db662639974968967f99c5e0da0c43cc10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\[email protected]

Filesize
1KB

MD5
618c7989fdafe0f77123fd250b2d40a2

SHA1
e3520b307731a3ef9b1fa4afeb746968bfa407ca

SHA256
22fe7cec277849088cb33fd7117650f69b79a6fc6f58941ed2fa71cf08c5664b

SHA512
5e2ed63694201898f1261df848be1b29cdc8157fe150394d5ac4a05ba2cd627d0abb00011825fe4777db7d661dee55d1fdeb4b958425c631b932d93465789ed6

Download Submit
C:\Windows\SysWOW64\system86\winsys.exe

Filesize
432KB

MD5
7aa59f694554f7383d005497687a3b5f

SHA1
7d31ecc2bfd70937e553c15a1b171be37cfb42b9

SHA256
261e2670c76edb0f4e643a2be845d06a755161ec93b6cd9d525edc6dcf76570a

SHA512
f10ca5be1bf76da4bdd117d6b39e8ed40ccfaa2fee31d7177b890cb07eb48bed7b6a75fabbeafaa9137ab6816024ac612cc5258806cda9ce64c082df8c492acf

Download Submit
memory/796-46-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/796-44-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/796-61-0x000000000040A000-0x00000000004A7000-memory.dmp

Filesize
628KB

Download
memory/796-59-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/796-1-0x000000000040A000-0x00000000004A7000-memory.dmp

Filesize
628KB

Download
memory/796-0-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/796-43-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/1144-68-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1964-157-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/1964-156-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/1964-179-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/1964-155-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2352-207-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2352-206-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2648-74-0x000000000040A000-0x00000000004A7000-memory.dmp

Filesize
628KB

Download
memory/2648-99-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2648-98-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2648-109-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2648-116-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2648-115-0x000000000040A000-0x00000000004A7000-memory.dmp

Filesize
628KB

Download
memory/2780-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-48-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-49-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-50-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-51-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-52-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-60-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-62-0x0000000000400000-0x00000000004ABB0C-memory.dmp

Filesize
686KB

Download
memory/2780-53-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-54-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-57-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2780-58-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads