bd279983321721952ecc03d4b3de85e991e1dfd8eb072e79a51d8a382b2d5111

Analysis

max time kernel
211s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009e7941ceae50c5f7220462fcf35b0c.exe
Size

216KB
MD5

009e7941ceae50c5f7220462fcf35b0c
SHA1

3f32bdcf43cf1baea2eaea9627c62e7e8ff35c18
SHA256

bd279983321721952ecc03d4b3de85e991e1dfd8eb072e79a51d8a382b2d5111
SHA512

f62668a4127a46c142636d3ff88f3a28ea9a8f7048e94feae6f4429401b18ad3b0a0bb082e3f9957fea5d4bb2085a13122f9c881688d0243b5bf820571e3ee7b
SSDEEP

6144:HGZLlL56XKpWl+PHwFb2B6XKpWVJl1ZbG:sLfg+oFOa7q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
980	kernel.exe
2340	kernel.exe
1508	kernel.exe
1956	kernel.exe
1068	kernel.exe
2544	kernel.exe
1960	kernel.exe
872	kernel.exe
392	kernel.exe
2052	kernel.exe
1736	kernel.exe
1544	kernel.exe
2312	kernel.exe
2152	kernel.exe
664	kernel.exe
2252	kernel.exe
2004	kernel.exe
2012	kernel.exe
2308	kernel.exe
1864	kernel.exe
1984	kernel.exe
1616	kernel.exe
2872	kernel.exe
1760	kernel.exe
996	kernel.exe
1660	kernel.exe
2940	kernel.exe
2788	kernel.exe
2848	kernel.exe
2600	kernel.exe
2596	kernel.exe
2024	kernel.exe
2708	kernel.exe
2688	kernel.exe
2584	kernel.exe
1656	kernel.exe
2512	kernel.exe
2832	kernel.exe
2616	kernel.exe
3048	kernel.exe
1540	kernel.exe
636	kernel.exe
1456	kernel.exe
3004	kernel.exe
476	kernel.exe
1552	kernel.exe
952	kernel.exe
3052	kernel.exe
2896	kernel.exe
2892	kernel.exe
2304	kernel.exe
1292	kernel.exe
2276	kernel.exe
2632	kernel.exe
2228	kernel.exe
320	kernel.exe
2352	kernel.exe
2404	kernel.exe
2332	kernel.exe
1500	kernel.exe
1376	kernel.exe
1988	kernel.exe
1976	kernel.exe
1768	kernel.exe

Loads dropped DLL 64 IoCs

pid	Process
2696	009e7941ceae50c5f7220462fcf35b0c.exe
2696	009e7941ceae50c5f7220462fcf35b0c.exe
980	kernel.exe
980	kernel.exe
2340	kernel.exe
2340	kernel.exe
1508	kernel.exe
1508	kernel.exe
1956	kernel.exe
1956	kernel.exe
1068	kernel.exe
1068	kernel.exe
2544	kernel.exe
2544	kernel.exe
1960	kernel.exe
1960	kernel.exe
872	kernel.exe
872	kernel.exe
392	kernel.exe
392	kernel.exe
2052	kernel.exe
2052	kernel.exe
1736	kernel.exe
1736	kernel.exe
1544	kernel.exe
1544	kernel.exe
2312	kernel.exe
2312	kernel.exe
2152	kernel.exe
2152	kernel.exe
664	kernel.exe
664	kernel.exe
2252	kernel.exe
2252	kernel.exe
2004	kernel.exe
2004	kernel.exe
2012	kernel.exe
2012	kernel.exe
2308	kernel.exe
2308	kernel.exe
1864	kernel.exe
1864	kernel.exe
1984	kernel.exe
1984	kernel.exe
1616	kernel.exe
1616	kernel.exe
2872	kernel.exe
2872	kernel.exe
1760	kernel.exe
1760	kernel.exe
996	kernel.exe
996	kernel.exe
1660	kernel.exe
1660	kernel.exe
2940	kernel.exe
2940	kernel.exe
2788	kernel.exe
2788	kernel.exe
2848	kernel.exe
2848	kernel.exe
2600	kernel.exe
2600	kernel.exe
2596	kernel.exe
2596	kernel.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File created	C:\Windows\SysWOW64\kernel.exe	kernel.exe
File opened for modification	C:\Windows\SysWOW64\kernel.exe	kernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2696	009e7941ceae50c5f7220462fcf35b0c.exe
980	kernel.exe
2340	kernel.exe
1508	kernel.exe
1956	kernel.exe
1068	kernel.exe
2544	kernel.exe
1960	kernel.exe
872	kernel.exe
392	kernel.exe
2052	kernel.exe
1736	kernel.exe
1544	kernel.exe
2312	kernel.exe
2152	kernel.exe
664	kernel.exe
2252	kernel.exe
2004	kernel.exe
2012	kernel.exe
2308	kernel.exe
1864	kernel.exe
1984	kernel.exe
1616	kernel.exe
2872	kernel.exe
1760	kernel.exe
996	kernel.exe
1660	kernel.exe
2940	kernel.exe
2788	kernel.exe
2848	kernel.exe
2600	kernel.exe
2596	kernel.exe
2024	kernel.exe
2708	kernel.exe
2688	kernel.exe
2584	kernel.exe
1656	kernel.exe
2832	kernel.exe
2616	kernel.exe
3048	kernel.exe
1540	kernel.exe
636	kernel.exe
1456	kernel.exe
3004	kernel.exe
476	kernel.exe
1552	kernel.exe
952	kernel.exe
3052	kernel.exe
2896	kernel.exe
2892	kernel.exe
2304	kernel.exe
1292	kernel.exe
2276	kernel.exe
2632	kernel.exe
2228	kernel.exe
320	kernel.exe
2352	kernel.exe
2404	kernel.exe
2332	kernel.exe
1500	kernel.exe
1376	kernel.exe
1988	kernel.exe
1976	kernel.exe
1768	kernel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 980	2696	009e7941ceae50c5f7220462fcf35b0c.exe	29
PID 2696 wrote to memory of 980	2696	009e7941ceae50c5f7220462fcf35b0c.exe	29
PID 2696 wrote to memory of 980	2696	009e7941ceae50c5f7220462fcf35b0c.exe	29
PID 2696 wrote to memory of 980	2696	009e7941ceae50c5f7220462fcf35b0c.exe	29
PID 980 wrote to memory of 2340	980	kernel.exe	30
PID 980 wrote to memory of 2340	980	kernel.exe	30
PID 980 wrote to memory of 2340	980	kernel.exe	30
PID 980 wrote to memory of 2340	980	kernel.exe	30
PID 2340 wrote to memory of 1508	2340	kernel.exe	31
PID 2340 wrote to memory of 1508	2340	kernel.exe	31
PID 2340 wrote to memory of 1508	2340	kernel.exe	31
PID 2340 wrote to memory of 1508	2340	kernel.exe	31
PID 1508 wrote to memory of 1956	1508	kernel.exe	32
PID 1508 wrote to memory of 1956	1508	kernel.exe	32
PID 1508 wrote to memory of 1956	1508	kernel.exe	32
PID 1508 wrote to memory of 1956	1508	kernel.exe	32
PID 1956 wrote to memory of 1068	1956	kernel.exe	33
PID 1956 wrote to memory of 1068	1956	kernel.exe	33
PID 1956 wrote to memory of 1068	1956	kernel.exe	33
PID 1956 wrote to memory of 1068	1956	kernel.exe	33
PID 1068 wrote to memory of 2544	1068	kernel.exe	34
PID 1068 wrote to memory of 2544	1068	kernel.exe	34
PID 1068 wrote to memory of 2544	1068	kernel.exe	34
PID 1068 wrote to memory of 2544	1068	kernel.exe	34
PID 2544 wrote to memory of 1960	2544	kernel.exe	35
PID 2544 wrote to memory of 1960	2544	kernel.exe	35
PID 2544 wrote to memory of 1960	2544	kernel.exe	35
PID 2544 wrote to memory of 1960	2544	kernel.exe	35
PID 1960 wrote to memory of 872	1960	kernel.exe	36
PID 1960 wrote to memory of 872	1960	kernel.exe	36
PID 1960 wrote to memory of 872	1960	kernel.exe	36
PID 1960 wrote to memory of 872	1960	kernel.exe	36
PID 872 wrote to memory of 392	872	kernel.exe	37
PID 872 wrote to memory of 392	872	kernel.exe	37
PID 872 wrote to memory of 392	872	kernel.exe	37
PID 872 wrote to memory of 392	872	kernel.exe	37
PID 392 wrote to memory of 2052	392	kernel.exe	38
PID 392 wrote to memory of 2052	392	kernel.exe	38
PID 392 wrote to memory of 2052	392	kernel.exe	38
PID 392 wrote to memory of 2052	392	kernel.exe	38
PID 2052 wrote to memory of 1736	2052	kernel.exe	39
PID 2052 wrote to memory of 1736	2052	kernel.exe	39
PID 2052 wrote to memory of 1736	2052	kernel.exe	39
PID 2052 wrote to memory of 1736	2052	kernel.exe	39
PID 1736 wrote to memory of 1544	1736	kernel.exe	40
PID 1736 wrote to memory of 1544	1736	kernel.exe	40
PID 1736 wrote to memory of 1544	1736	kernel.exe	40
PID 1736 wrote to memory of 1544	1736	kernel.exe	40
PID 1544 wrote to memory of 2312	1544	kernel.exe	41
PID 1544 wrote to memory of 2312	1544	kernel.exe	41
PID 1544 wrote to memory of 2312	1544	kernel.exe	41
PID 1544 wrote to memory of 2312	1544	kernel.exe	41
PID 2312 wrote to memory of 2152	2312	kernel.exe	42
PID 2312 wrote to memory of 2152	2312	kernel.exe	42
PID 2312 wrote to memory of 2152	2312	kernel.exe	42
PID 2312 wrote to memory of 2152	2312	kernel.exe	42
PID 2152 wrote to memory of 664	2152	kernel.exe	43
PID 2152 wrote to memory of 664	2152	kernel.exe	43
PID 2152 wrote to memory of 664	2152	kernel.exe	43
PID 2152 wrote to memory of 664	2152	kernel.exe	43
PID 664 wrote to memory of 2252	664	kernel.exe	44
PID 664 wrote to memory of 2252	664	kernel.exe	44
PID 664 wrote to memory of 2252	664	kernel.exe	44
PID 664 wrote to memory of 2252	664	kernel.exe	44

C:\Users\Admin\AppData\Local\Temp\009e7941ceae50c5f7220462fcf35b0c.exe
"C:\Users\Admin\AppData\Local\Temp\009e7941ceae50c5f7220462fcf35b0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\kernel.exe
  C:\Windows\system32\kernel.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\kernel.exe
    C:\Windows\system32\kernel.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\kernel.exe
      C:\Windows\system32\kernel.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        38⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        66⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        67⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        68⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        69⤵
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        70⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        71⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        72⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        73⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        74⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        75⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        76⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        77⤵
        
        PID:664
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        78⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        79⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        80⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        81⤵
        
        PID:616
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        82⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        83⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        84⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        85⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        86⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        87⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        88⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        89⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        90⤵
        
        PID:696
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        91⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        92⤵
        
        PID:644
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        93⤵
        
        PID:292
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        94⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        95⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        96⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        97⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        98⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        99⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        100⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        101⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        102⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        103⤵
        
        PID:944
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        104⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        105⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        106⤵
        
        PID:936
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        107⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        108⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        109⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        110⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        111⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        112⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        113⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        114⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        115⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        116⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        117⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        118⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        119⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        120⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        121⤵
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        122⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        123⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        124⤵
        
        PID:284
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        125⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        126⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        127⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        128⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        129⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        130⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        131⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        132⤵
        
        PID:400
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        133⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        134⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        135⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        136⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        137⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        138⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        139⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        140⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        141⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        142⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        143⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        144⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        145⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        146⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        147⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        148⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        149⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        150⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        151⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        152⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        153⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        154⤵
        
        PID:528
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        155⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        156⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        157⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        158⤵
        
        PID:348
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        159⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        160⤵
        
        PID:952
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        161⤵
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        162⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        163⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        164⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        165⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        166⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        167⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        168⤵
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        169⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        170⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        171⤵
        
        PID:324
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        172⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        173⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        174⤵
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        175⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        176⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        177⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        178⤵
        
        PID:336
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        179⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        180⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        181⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        182⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        183⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        184⤵
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        185⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        186⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        187⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        188⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        189⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        190⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        191⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        192⤵
        
        PID:956
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        193⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        194⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        195⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        196⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        197⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        198⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        199⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        200⤵
        
        PID:988
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        201⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        202⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        203⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        204⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        205⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        206⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        207⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        208⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        209⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        210⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        211⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        212⤵
        
        PID:916
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        213⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        214⤵
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        215⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        216⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        217⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        218⤵
        
        PID:696
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        219⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        220⤵
        Drops file in System32 directory
        
        PID:292
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        221⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        222⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        223⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        224⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        225⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        226⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        227⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        228⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\kernel.exe
        
        C:\Windows\system32\kernel.exe
        229⤵
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\kernel.exe

Filesize
216KB

MD5
009e7941ceae50c5f7220462fcf35b0c

SHA1
3f32bdcf43cf1baea2eaea9627c62e7e8ff35c18

SHA256
bd279983321721952ecc03d4b3de85e991e1dfd8eb072e79a51d8a382b2d5111

SHA512
f62668a4127a46c142636d3ff88f3a28ea9a8f7048e94feae6f4429401b18ad3b0a0bb082e3f9957fea5d4bb2085a13122f9c881688d0243b5bf820571e3ee7b

Download Submit
\Windows\SysWOW64\kernel.exe

Filesize
128KB

MD5
675afcdecf051bbeb36cbcdaf1014d7a

SHA1
5a2a698cf91300b3f01990564e02118c28a9aced

SHA256
8a771ac4d1c4db777a25a660aa2310094af6b0d8b408a11374d6b69118faef17

SHA512
1ad075daca6707679a89ffc7d4a74d6eb7058f4f70bf3cb2a7b2fb6797dec9b483feef4b2d003762e4fe290017d9ffc71013750180e22bdcce353eb80bd08798

Download Submit
\Windows\SysWOW64\kernel.exe

Filesize
64KB

MD5
f0881f6e26d967e388518a707c22fdcf

SHA1
79e4cab16f0c0a2a06eaf12035929d2c67e99b59

SHA256
982aa14ffeb601da87a2a93a86ed49f3a05c7b662e7dc559d947fbe6da907747

SHA512
4fff5f24f09457d899bd0b36003382b968db2f141994ca798789a70d9bcbb84d098fa40684f55e0900e154cdee066ed98dbce1e2c0ad2142860fe91c87b14ce3

Download Submit