cc3635e8f69d39427f470f0c6a687e88ea006c70077601177dd0852778d2ad08

Analysis

max time kernel
59s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

G_Server.exe
Size

388KB
MD5

16c8a6096c6a55b0f1ac09b9882ee7b0
SHA1

48840eb1d44b376479553c99e33d1020b8031c66
SHA256

83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13
SHA512

89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5
SSDEEP

12288:JPgzpWVpdgb8Q2fG3Fd4WxbDCy2anwWhan:PTX+JxbDQu3An

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

KERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

pid	process
2536	KERNEL32.EXE
2412	KERNEL32.EXE
2296	KERNEL32.EXE
800	KERNEL32.EXE
1820	KERNEL32.EXE
668	KERNEL32.EXE
2068	KERNEL32.EXE
780	KERNEL32.EXE
1724	KERNEL32.EXE
3068	KERNEL32.EXE
1560	KERNEL32.EXE
696	KERNEL32.EXE
2972	KERNEL32.EXE
1732	KERNEL32.EXE
1552	KERNEL32.EXE
2192	KERNEL32.EXE
328	KERNEL32.EXE
2756	KERNEL32.EXE
2680	KERNEL32.EXE
1468	KERNEL32.EXE
2472	KERNEL32.EXE
2712	KERNEL32.EXE
2324	KERNEL32.EXE
1676	KERNEL32.EXE
1340	KERNEL32.EXE
2944	KERNEL32.EXE
2120	KERNEL32.EXE
668	KERNEL32.EXE
2068	KERNEL32.EXE
556	KERNEL32.EXE
3028	KERNEL32.EXE
1456	KERNEL32.EXE
1724	KERNEL32.EXE
2904	KERNEL32.EXE
920	KERNEL32.EXE
940	KERNEL32.EXE
2212	KERNEL32.EXE
2888	KERNEL32.EXE
1996	KERNEL32.EXE
2556	KERNEL32.EXE
1548	KERNEL32.EXE
2772	KERNEL32.EXE
2576	KERNEL32.EXE
2836	KERNEL32.EXE
1884	KERNEL32.EXE
1652	KERNEL32.EXE
1656	KERNEL32.EXE
2144	KERNEL32.EXE
800	KERNEL32.EXE
2288	KERNEL32.EXE
348	KERNEL32.EXE
1624	KERNEL32.EXE
704	KERNEL32.EXE
2120	KERNEL32.EXE
668	KERNEL32.EXE
580	KERNEL32.EXE
388	KERNEL32.EXE
956	KERNEL32.EXE
1932	KERNEL32.EXE
376	KERNEL32.EXE
912	KERNEL32.EXE
1716	KERNEL32.EXE
1028	KERNEL32.EXE
1452	KERNEL32.EXE

Loads dropped DLL 64 IoCs

Processes:

G_Server.exeKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

pid	process
2868	G_Server.exe
2868	G_Server.exe
2536	KERNEL32.EXE
2536	KERNEL32.EXE
2536	KERNEL32.EXE
2412	KERNEL32.EXE
2412	KERNEL32.EXE
2412	KERNEL32.EXE
2296	KERNEL32.EXE
2296	KERNEL32.EXE
2296	KERNEL32.EXE
800	KERNEL32.EXE
800	KERNEL32.EXE
800	KERNEL32.EXE
1820	KERNEL32.EXE
1820	KERNEL32.EXE
1820	KERNEL32.EXE
668	KERNEL32.EXE
668	KERNEL32.EXE
668	KERNEL32.EXE
2068	KERNEL32.EXE
2068	KERNEL32.EXE
2068	KERNEL32.EXE
780	KERNEL32.EXE
780	KERNEL32.EXE
780	KERNEL32.EXE
1724	KERNEL32.EXE
1724	KERNEL32.EXE
1724	KERNEL32.EXE
3068	KERNEL32.EXE
3068	KERNEL32.EXE
3068	KERNEL32.EXE
1560	KERNEL32.EXE
1560	KERNEL32.EXE
1560	KERNEL32.EXE
696	KERNEL32.EXE
696	KERNEL32.EXE
696	KERNEL32.EXE
2972	KERNEL32.EXE
2972	KERNEL32.EXE
2972	KERNEL32.EXE
1732	KERNEL32.EXE
1732	KERNEL32.EXE
1732	KERNEL32.EXE
1552	KERNEL32.EXE
1552	KERNEL32.EXE
1552	KERNEL32.EXE
2192	KERNEL32.EXE
2192	KERNEL32.EXE
2192	KERNEL32.EXE
328	KERNEL32.EXE
328	KERNEL32.EXE
328	KERNEL32.EXE
2756	KERNEL32.EXE
2756	KERNEL32.EXE
2756	KERNEL32.EXE
2680	KERNEL32.EXE
2680	KERNEL32.EXE
2680	KERNEL32.EXE
1468	KERNEL32.EXE
1468	KERNEL32.EXE
1468	KERNEL32.EXE
2472	KERNEL32.EXE
2472	KERNEL32.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

KERNEL32.EXEG_Server.exeKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	G_Server.exe
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE
File opened for modification	\??\PhysicalDrive0	KERNEL32.EXE

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

G_Server.exeKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

description	pid	process	target process
PID 2868 wrote to memory of 2536	2868	G_Server.exe	KERNEL32.EXE
PID 2868 wrote to memory of 2536	2868	G_Server.exe	KERNEL32.EXE
PID 2868 wrote to memory of 2536	2868	G_Server.exe	KERNEL32.EXE
PID 2868 wrote to memory of 2536	2868	G_Server.exe	KERNEL32.EXE
PID 2536 wrote to memory of 2412	2536	KERNEL32.EXE	KERNEL32.EXE
PID 2536 wrote to memory of 2412	2536	KERNEL32.EXE	KERNEL32.EXE
PID 2536 wrote to memory of 2412	2536	KERNEL32.EXE	KERNEL32.EXE
PID 2536 wrote to memory of 2412	2536	KERNEL32.EXE	KERNEL32.EXE
PID 2412 wrote to memory of 2296	2412	KERNEL32.EXE	KERNEL32.EXE
PID 2412 wrote to memory of 2296	2412	KERNEL32.EXE	KERNEL32.EXE
PID 2412 wrote to memory of 2296	2412	KERNEL32.EXE	KERNEL32.EXE
PID 2412 wrote to memory of 2296	2412	KERNEL32.EXE	KERNEL32.EXE
PID 2296 wrote to memory of 800	2296	KERNEL32.EXE	KERNEL32.EXE
PID 2296 wrote to memory of 800	2296	KERNEL32.EXE	KERNEL32.EXE
PID 2296 wrote to memory of 800	2296	KERNEL32.EXE	KERNEL32.EXE
PID 2296 wrote to memory of 800	2296	KERNEL32.EXE	KERNEL32.EXE
PID 800 wrote to memory of 1820	800	KERNEL32.EXE	KERNEL32.EXE
PID 800 wrote to memory of 1820	800	KERNEL32.EXE	KERNEL32.EXE
PID 800 wrote to memory of 1820	800	KERNEL32.EXE	KERNEL32.EXE
PID 800 wrote to memory of 1820	800	KERNEL32.EXE	KERNEL32.EXE
PID 1820 wrote to memory of 668	1820	KERNEL32.EXE	KERNEL32.EXE
PID 1820 wrote to memory of 668	1820	KERNEL32.EXE	KERNEL32.EXE
PID 1820 wrote to memory of 668	1820	KERNEL32.EXE	KERNEL32.EXE
PID 1820 wrote to memory of 668	1820	KERNEL32.EXE	KERNEL32.EXE
PID 668 wrote to memory of 2068	668	KERNEL32.EXE	KERNEL32.EXE
PID 668 wrote to memory of 2068	668	KERNEL32.EXE	KERNEL32.EXE
PID 668 wrote to memory of 2068	668	KERNEL32.EXE	KERNEL32.EXE
PID 668 wrote to memory of 2068	668	KERNEL32.EXE	KERNEL32.EXE
PID 2068 wrote to memory of 780	2068	KERNEL32.EXE	KERNEL32.EXE
PID 2068 wrote to memory of 780	2068	KERNEL32.EXE	KERNEL32.EXE
PID 2068 wrote to memory of 780	2068	KERNEL32.EXE	KERNEL32.EXE
PID 2068 wrote to memory of 780	2068	KERNEL32.EXE	KERNEL32.EXE
PID 780 wrote to memory of 1724	780	KERNEL32.EXE	KERNEL32.EXE
PID 780 wrote to memory of 1724	780	KERNEL32.EXE	KERNEL32.EXE
PID 780 wrote to memory of 1724	780	KERNEL32.EXE	KERNEL32.EXE
PID 780 wrote to memory of 1724	780	KERNEL32.EXE	KERNEL32.EXE
PID 1724 wrote to memory of 3068	1724	KERNEL32.EXE	KERNEL32.EXE
PID 1724 wrote to memory of 3068	1724	KERNEL32.EXE	KERNEL32.EXE
PID 1724 wrote to memory of 3068	1724	KERNEL32.EXE	KERNEL32.EXE
PID 1724 wrote to memory of 3068	1724	KERNEL32.EXE	KERNEL32.EXE
PID 3068 wrote to memory of 1560	3068	KERNEL32.EXE	KERNEL32.EXE
PID 3068 wrote to memory of 1560	3068	KERNEL32.EXE	KERNEL32.EXE
PID 3068 wrote to memory of 1560	3068	KERNEL32.EXE	KERNEL32.EXE
PID 3068 wrote to memory of 1560	3068	KERNEL32.EXE	KERNEL32.EXE
PID 1560 wrote to memory of 696	1560	KERNEL32.EXE	KERNEL32.EXE
PID 1560 wrote to memory of 696	1560	KERNEL32.EXE	KERNEL32.EXE
PID 1560 wrote to memory of 696	1560	KERNEL32.EXE	KERNEL32.EXE
PID 1560 wrote to memory of 696	1560	KERNEL32.EXE	KERNEL32.EXE
PID 696 wrote to memory of 2972	696	KERNEL32.EXE	KERNEL32.EXE
PID 696 wrote to memory of 2972	696	KERNEL32.EXE	KERNEL32.EXE
PID 696 wrote to memory of 2972	696	KERNEL32.EXE	KERNEL32.EXE
PID 696 wrote to memory of 2972	696	KERNEL32.EXE	KERNEL32.EXE
PID 2972 wrote to memory of 1732	2972	KERNEL32.EXE	KERNEL32.EXE
PID 2972 wrote to memory of 1732	2972	KERNEL32.EXE	KERNEL32.EXE
PID 2972 wrote to memory of 1732	2972	KERNEL32.EXE	KERNEL32.EXE
PID 2972 wrote to memory of 1732	2972	KERNEL32.EXE	KERNEL32.EXE
PID 1732 wrote to memory of 1552	1732	KERNEL32.EXE	KERNEL32.EXE
PID 1732 wrote to memory of 1552	1732	KERNEL32.EXE	KERNEL32.EXE
PID 1732 wrote to memory of 1552	1732	KERNEL32.EXE	KERNEL32.EXE
PID 1732 wrote to memory of 1552	1732	KERNEL32.EXE	KERNEL32.EXE
PID 1552 wrote to memory of 2192	1552	KERNEL32.EXE	KERNEL32.EXE
PID 1552 wrote to memory of 2192	1552	KERNEL32.EXE	KERNEL32.EXE
PID 1552 wrote to memory of 2192	1552	KERNEL32.EXE	KERNEL32.EXE
PID 1552 wrote to memory of 2192	1552	KERNEL32.EXE	KERNEL32.EXE

C:\Users\Admin\AppData\Local\Temp\G_Server.exe
"C:\Users\Admin\AppData\Local\Temp\G_Server.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:2192

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2472

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
23⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:2712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
24⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
25⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1676

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
26⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
27⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
28⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
29⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
30⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
32⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
PID:3028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
33⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:1456

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
34⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
35⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
36⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
37⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
38⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
PID:2212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
39⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
40⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:1996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
41⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
42⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
43⤵
- Executes dropped EXE
PID:2772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
44⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2836

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
47⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:1652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
48⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
49⤵
- Executes dropped EXE
PID:2144

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
50⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
51⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
52⤵
- Executes dropped EXE
PID:348

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
54⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
55⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
56⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:580

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
58⤵
- Executes dropped EXE
PID:388

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
60⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
61⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
PID:376

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
62⤵
- Executes dropped EXE
- Adds Run key to start application
PID:912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
63⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
64⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
PID:1028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
66⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2568

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
67⤵
- Adds Run key to start application
PID:2960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
69⤵
PID:2912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
70⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:3024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
71⤵
- Modifies system executable filetype association
- Modifies registry class
PID:884

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
72⤵
- Modifies registry class
PID:2600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
73⤵
- Drops file in System32 directory
PID:1016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
74⤵
PID:2316

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
75⤵
PID:1704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
76⤵
PID:2732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
77⤵
- Adds Run key to start application
PID:1376

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
78⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2172

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
79⤵
PID:1284

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
80⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2336

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
81⤵
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
82⤵
- Writes to the Master Boot Record (MBR)
PID:476

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
83⤵
PID:780

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
84⤵
- Modifies system executable filetype association
PID:1908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
85⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
86⤵
- Drops file in System32 directory
PID:2980

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
87⤵
- Adds Run key to start application
PID:2668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
88⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:1568

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
89⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:2696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
90⤵
- Adds Run key to start application
PID:2088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
91⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
92⤵
PID:2608

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
93⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
94⤵
PID:2424

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
95⤵
PID:2704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
96⤵
PID:3024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
97⤵
PID:2728

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
98⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1020

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
99⤵
PID:1828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
100⤵
- Writes to the Master Boot Record (MBR)
PID:1888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
101⤵
PID:1704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
102⤵
- Modifies registry class
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
103⤵
PID:1960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
104⤵
- Modifies system executable filetype association
PID:1616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
105⤵
- Drops file in System32 directory
PID:596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
106⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
PID:3000

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
107⤵
PID:3044

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
108⤵
PID:2092

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
109⤵
- Modifies system executable filetype association
PID:3032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
110⤵
- Modifies registry class
PID:2752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
111⤵
- Modifies system executable filetype association
PID:2984

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
112⤵
- Writes to the Master Boot Record (MBR)
PID:2032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
113⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
114⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
PID:1868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
115⤵
PID:1028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
116⤵
PID:892

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
117⤵
- Writes to the Master Boot Record (MBR)
PID:2692

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
118⤵
- Modifies system executable filetype association
PID:2536

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
119⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
120⤵
- Adds Run key to start application
PID:1752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
121⤵
- Modifies registry class
PID:2912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
122⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
123⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
124⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2724

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
125⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
PID:280

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
126⤵
- Modifies registry class
PID:1516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
127⤵
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
128⤵
- Modifies registry class
PID:752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
129⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2000

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
130⤵
- Adds Run key to start application
PID:1616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
131⤵
- Adds Run key to start application
- Modifies registry class
PID:596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
132⤵
- Modifies registry class
PID:2744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
133⤵
PID:2340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
134⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
135⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:3060

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
136⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1248

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
137⤵
PID:920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
138⤵
PID:2044

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
139⤵
- Modifies system executable filetype association
PID:2204

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
140⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2520

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
141⤵
- Adds Run key to start application
PID:2552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
142⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2604

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
143⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
144⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
145⤵
- Modifies system executable filetype association
PID:2584

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
146⤵
- Adds Run key to start application
PID:1668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
147⤵
- Writes to the Master Boot Record (MBR)
PID:1460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
148⤵
- Drops file in System32 directory
- Modifies registry class
PID:2656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
149⤵
- Modifies registry class
PID:1592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
150⤵
PID:1888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
151⤵
PID:1872

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
152⤵
- Modifies system executable filetype association
PID:2736

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
153⤵
PID:2072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
154⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2396

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
155⤵
- Modifies registry class
PID:1772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
156⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:1912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
157⤵
PID:1384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
158⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
159⤵
- Modifies system executable filetype association
PID:908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
160⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
161⤵
- Writes to the Master Boot Record (MBR)
PID:2992

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
162⤵
- Modifies system executable filetype association
PID:1716

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
163⤵
PID:3016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
164⤵
- Modifies registry class
PID:3040

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
165⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2204

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
166⤵
PID:2664

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
167⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2692

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
168⤵
PID:2676

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
169⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
170⤵
- Writes to the Master Boot Record (MBR)
PID:2300

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
171⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:2412

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
172⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
173⤵
- Drops file in System32 directory
PID:1956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
174⤵
PID:2816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
175⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
176⤵
PID:2452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
177⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
178⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
179⤵
- Drops file in System32 directory
- Modifies registry class
PID:1420

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
180⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
PID:2512

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
181⤵
- Writes to the Master Boot Record (MBR)
PID:2084

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
182⤵
PID:2160

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
183⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:1612

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
184⤵
PID:1908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
185⤵
- Modifies system executable filetype association
PID:3012

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
186⤵
- Writes to the Master Boot Record (MBR)
PID:1448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
187⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:2264

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
188⤵
- Adds Run key to start application
PID:2668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
189⤵
- Adds Run key to start application
PID:764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
190⤵
- Adds Run key to start application
PID:2632

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
191⤵
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
192⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:2868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
193⤵
PID:1488

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
194⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:276

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
195⤵
- Modifies system executable filetype association
PID:2360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
196⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1648

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
197⤵
PID:2656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
198⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
199⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
200⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:1268

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
201⤵
PID:588

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
202⤵
PID:2120

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
203⤵
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
204⤵
- Adds Run key to start application
PID:1160

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
205⤵
- Modifies system executable filetype association
PID:2512

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
206⤵
PID:1820

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
207⤵
- Drops file in System32 directory
- Modifies registry class
PID:768

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
208⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
PID:2904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
209⤵
- Drops file in System32 directory
PID:968

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
210⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
211⤵
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
212⤵
PID:2540

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
213⤵
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
214⤵
- Writes to the Master Boot Record (MBR)
PID:328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
215⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
PID:2840

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
216⤵
PID:2756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
217⤵
- Writes to the Master Boot Record (MBR)
PID:1548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
218⤵
- Drops file in System32 directory
PID:2600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
219⤵
PID:1668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
220⤵
PID:2472

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
221⤵
PID:1600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
222⤵
PID:1620

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
223⤵
PID:1652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
224⤵
PID:2148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
225⤵
- Modifies system executable filetype association
PID:704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
226⤵
PID:524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
227⤵
- Drops file in System32 directory
PID:572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
228⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:1456

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
229⤵
- Adds Run key to start application
PID:2744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
230⤵
- Drops file in System32 directory
PID:1300

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
231⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
PID:984

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
232⤵
- Drops file in System32 directory
- Modifies registry class
PID:1908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
233⤵
- Adds Run key to start application
PID:376

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
234⤵
- Drops file in System32 directory
PID:1568

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
235⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2044

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
236⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:3040

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
237⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
238⤵
PID:2504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
239⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:2760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
240⤵
- Modifies system executable filetype association
- Writes to the Master Boot Record (MBR)
PID:328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
241⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2200

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
242⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:2740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
243⤵
PID:2192

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
244⤵
- Drops file in System32 directory
PID:2324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
245⤵
- Writes to the Master Boot Record (MBR)
PID:1592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
246⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2688

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
247⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
248⤵
PID:2172

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
249⤵
- Modifies system executable filetype association
PID:676

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
250⤵
- Modifies system executable filetype association
PID:2148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
251⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:2112

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
252⤵
- Drops file in System32 directory
- Modifies registry class
PID:2068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
253⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2796

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
254⤵
- Modifies registry class
PID:1160

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
255⤵
PID:2236

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
256⤵
- Drops file in System32 directory
- Modifies registry class
PID:940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
257⤵
PID:3032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
258⤵
PID:2368

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
259⤵
PID:2220

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
260⤵
PID:1568

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
261⤵
PID:3040

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
262⤵
PID:2444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
263⤵
PID:2560

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
264⤵
PID:1612

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
265⤵
PID:2760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
266⤵
PID:2332

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
267⤵
PID:328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
268⤵
PID:2016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
269⤵
PID:2828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
270⤵
PID:3024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
271⤵
PID:1208

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
272⤵
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
273⤵
PID:2780

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
274⤵
PID:1428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
275⤵
PID:524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
276⤵
PID:848

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
277⤵
PID:596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
278⤵
PID:1244

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
279⤵
PID:2376

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
280⤵
PID:2004

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
281⤵
PID:1868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
282⤵
PID:2464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
283⤵
PID:2056

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
284⤵
PID:1028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
285⤵
PID:2108

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
286⤵
PID:1552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
287⤵
PID:2504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
288⤵
PID:2756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
289⤵
PID:1612

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
290⤵
PID:276

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
291⤵
PID:1572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
292⤵
PID:800

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
293⤵
PID:1260

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
294⤵
PID:1500

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
295⤵
PID:2052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
296⤵
PID:1436

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
297⤵
PID:1772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
298⤵
PID:2396

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
299⤵
PID:3044

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
300⤵
PID:3000

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
301⤵
PID:388

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
302⤵
PID:596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
303⤵
PID:816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
304⤵
PID:912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
305⤵
PID:340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
306⤵
PID:3016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
307⤵
PID:2528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
308⤵
PID:1660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
309⤵
PID:2056

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
310⤵
PID:2580

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
311⤵
PID:2548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
312⤵
PID:1552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
313⤵
PID:2848

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
314⤵
PID:2624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
315⤵
PID:1952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
316⤵
PID:2816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
317⤵
PID:1644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
318⤵
PID:1008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
319⤵
PID:1648

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
320⤵
PID:2356

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
321⤵
PID:704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
322⤵
PID:1428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
323⤵
PID:1988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
324⤵
PID:1972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
325⤵
PID:2232

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
326⤵
PID:3056

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
327⤵
PID:1524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
328⤵
PID:2344

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
329⤵
PID:1504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
330⤵
PID:2368

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
331⤵
PID:2972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
332⤵
PID:2480

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
333⤵
PID:596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
334⤵
PID:2116

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
335⤵
PID:1660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
336⤵
PID:1996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
337⤵
PID:1388

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
338⤵
PID:2504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
339⤵
PID:2288

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
340⤵
PID:1340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
341⤵
PID:2472

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
342⤵
PID:2828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
343⤵
PID:1624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
344⤵
PID:2172

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
345⤵
PID:2248

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
346⤵
PID:1912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
347⤵
PID:1760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
348⤵
PID:2916

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
349⤵
PID:1988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
350⤵
PID:2596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
351⤵
PID:1972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
352⤵
PID:1244

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
353⤵
PID:2004

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
354⤵
PID:2344

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
355⤵
PID:2748

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
356⤵
PID:1672

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
357⤵
PID:2644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
358⤵
PID:1576

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
359⤵
PID:888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
360⤵
PID:564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
361⤵
PID:2484

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
362⤵
PID:2548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
363⤵
PID:2504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
364⤵
PID:2324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
365⤵
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
366⤵
PID:292

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
367⤵
PID:1340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
368⤵
PID:1808

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
369⤵
PID:2124

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
370⤵
PID:2084

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
371⤵
PID:2152

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
372⤵
PID:1772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
373⤵
PID:3044

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
374⤵
PID:2380

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
375⤵
PID:1300

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
376⤵
PID:2596

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
377⤵
PID:556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
378⤵
PID:2464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
379⤵
PID:1432

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
380⤵
PID:2552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
381⤵
PID:2972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
382⤵
PID:2620

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
383⤵
PID:1212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
384⤵
PID:2428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
385⤵
PID:2708

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
386⤵
PID:1800

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
387⤵
PID:1752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
388⤵
PID:1048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
389⤵
PID:1548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
390⤵
PID:2324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
391⤵
PID:532

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
392⤵
PID:1616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
393⤵
PID:1340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
394⤵
PID:2788

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
395⤵
PID:2356

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
396⤵
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
397⤵
PID:1360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
398⤵
PID:656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
399⤵
PID:752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
400⤵
PID:880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
401⤵
PID:2904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
402⤵
PID:2616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
403⤵
PID:556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
404⤵
PID:1748

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
405⤵
PID:2540

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
406⤵
PID:1544

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
407⤵
PID:1684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
408⤵
PID:1576

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
409⤵
PID:2640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
410⤵
PID:888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
411⤵
PID:2332

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
412⤵
PID:2056

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
413⤵
PID:1872

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
414⤵
PID:284

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
415⤵
PID:1744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
416⤵
PID:2816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
417⤵
PID:1048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
418⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
419⤵
PID:1496

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
420⤵
PID:348

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
421⤵
PID:2152

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
422⤵
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
423⤵
PID:848

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
424⤵
PID:1988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
425⤵
PID:752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
426⤵
PID:1560

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
427⤵
PID:2904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
428⤵
PID:2196

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
429⤵
PID:2344

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
430⤵
PID:1992

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
431⤵
PID:2652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
432⤵
PID:2936

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
433⤵
PID:2524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
434⤵
PID:852

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
435⤵
PID:1952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
436⤵
PID:564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
437⤵
PID:2912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
438⤵
PID:1268

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
439⤵
PID:3024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
440⤵
PID:1600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
441⤵
PID:2828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
442⤵
PID:1184

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
443⤵
PID:896

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
444⤵
PID:1200

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
445⤵
PID:2412

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
446⤵
PID:2508

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
447⤵
PID:1428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
448⤵
PID:1384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
449⤵
PID:388

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
450⤵
PID:448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
451⤵
PID:2700

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
452⤵
PID:340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
453⤵
PID:2592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
454⤵
PID:2572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
455⤵
PID:1868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
456⤵
PID:1992

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
457⤵
PID:2532

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
458⤵
PID:2968

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
459⤵
PID:2360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
460⤵
PID:328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
461⤵
PID:1828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
462⤵
PID:1516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
463⤵
PID:1996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
464⤵
PID:1268

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
465⤵
PID:2416

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
466⤵
PID:2828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
467⤵
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
468⤵
PID:2120

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
469⤵
PID:2336

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
470⤵
PID:2600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
471⤵
PID:1360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
472⤵
PID:816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
473⤵
PID:2340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
474⤵
PID:1988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
475⤵
PID:2752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
476⤵
PID:2616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
477⤵
PID:2032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
478⤵
PID:556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
479⤵
PID:2468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
480⤵
PID:2652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
481⤵
PID:2448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
482⤵
PID:2760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
483⤵
PID:3036

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
484⤵
PID:2012

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
485⤵
PID:1284

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
486⤵
PID:2792

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
487⤵
PID:2868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
488⤵
PID:588

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
489⤵
PID:2784

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
490⤵
PID:1600

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
491⤵
PID:1424

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
492⤵
PID:2848

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
493⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
494⤵
PID:1636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
495⤵
PID:1160

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
496⤵
PID:1692

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
497⤵
PID:1188

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
498⤵
PID:2088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
499⤵
PID:1144

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
500⤵
PID:2924

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
501⤵
PID:2752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
502⤵
PID:1748

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
503⤵
PID:1672

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
504⤵
PID:2108

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
505⤵
PID:2756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
506⤵
PID:2652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
507⤵
PID:2312

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
508⤵
PID:1584

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
509⤵
PID:940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
510⤵
PID:1008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
511⤵
PID:2624

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
512⤵
PID:2064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
513⤵
PID:3048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
514⤵
PID:1808

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
515⤵
PID:1460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
516⤵
PID:2008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
517⤵
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
518⤵
PID:1572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
519⤵
PID:3052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
520⤵
PID:2916

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
521⤵
PID:668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
522⤵
PID:3064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
523⤵
PID:1188

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
524⤵
PID:2804

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
525⤵
PID:1520

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
526⤵
PID:912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
527⤵
PID:892

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
528⤵
PID:2840

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
529⤵
PID:1544

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
530⤵
PID:2728

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
531⤵
PID:2744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
532⤵
PID:2400

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
533⤵
PID:1592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
534⤵
PID:2580

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
535⤵
PID:1668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
536⤵
PID:2480

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
537⤵
PID:1608

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
538⤵
PID:1940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
539⤵
PID:2816

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
540⤵
PID:3024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
541⤵
PID:2856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
542⤵
PID:2628

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
543⤵
PID:876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
544⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
545⤵
PID:3032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
546⤵
PID:1428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
547⤵
PID:3060

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
548⤵
PID:2340

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
549⤵
PID:1972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
550⤵
PID:2680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
551⤵
PID:920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
552⤵
PID:2952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
553⤵
PID:2444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
554⤵
PID:1476

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
555⤵
PID:1888

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
556⤵
PID:2632

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
557⤵
PID:1488

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
558⤵
PID:1640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
559⤵
PID:2312

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
560⤵
PID:1952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
561⤵
PID:2516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
562⤵
PID:1632

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
563⤵
PID:1608

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
564⤵
PID:2140

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
565⤵
PID:2000

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
566⤵
PID:2356

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
567⤵
PID:2856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
568⤵
PID:572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
569⤵
PID:1932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
570⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
571⤵
PID:2280

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
572⤵
PID:376

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
573⤵
PID:1680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
574⤵
PID:1620

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
575⤵
PID:2304

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
576⤵
PID:2616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
577⤵
PID:1732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
578⤵
PID:556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
579⤵
PID:2540

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
580⤵
PID:2972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
581⤵
PID:2756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
582⤵
PID:2164

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
583⤵
PID:1556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
584⤵
PID:2584

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
585⤵
PID:564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
586⤵
PID:1956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
587⤵
PID:676

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
588⤵
PID:2320

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
589⤵
PID:2324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
590⤵
PID:1812

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
591⤵
PID:1976

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
592⤵
PID:1284

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
593⤵
PID:2248

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
594⤵
PID:2016

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
595⤵
PID:1932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
596⤵
PID:1300

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
597⤵
PID:2420

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
598⤵
PID:2996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
599⤵
PID:1680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
600⤵
PID:3000

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
601⤵
PID:2904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
602⤵
PID:2520

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
603⤵
PID:1732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
604⤵
PID:2880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
605⤵
PID:2240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
606⤵
PID:1992

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
607⤵
PID:2936

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
608⤵
PID:2360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
609⤵
PID:1236

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
610⤵
PID:1656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
611⤵
PID:2328

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
612⤵
PID:1956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
613⤵
PID:2732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
614⤵
PID:2320

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
615⤵
PID:896

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
616⤵
PID:1480

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
617⤵
PID:2224

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
618⤵
PID:1572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
619⤵
PID:3052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
620⤵
PID:656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
621⤵
PID:1932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
622⤵
PID:1384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
623⤵
PID:2388

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
624⤵
PID:2024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
625⤵
PID:636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
626⤵
PID:764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
627⤵
PID:2932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
628⤵
PID:2512

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
629⤵
PID:2300

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
630⤵
PID:2880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
631⤵
PID:2504

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
632⤵
PID:1524

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
633⤵
PID:2760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
634⤵
PID:2912

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KERNEL32.EXE

Filesize
388KB

MD5
16c8a6096c6a55b0f1ac09b9882ee7b0

SHA1
48840eb1d44b376479553c99e33d1020b8031c66

SHA256
83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13

SHA512
89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5

Download Submit
memory/328-358-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/348-752-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/376-851-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/388-818-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/556-518-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/580-807-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/668-182-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/668-796-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/668-496-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/696-300-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/704-774-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/780-225-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/800-129-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/800-138-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/800-125-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/800-126-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/800-140-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/800-115-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/800-123-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/800-124-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/800-128-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/800-730-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/800-137-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/800-127-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/800-130-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/912-862-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/920-573-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/940-584-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/956-829-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1028-884-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1340-463-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1456-540-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1468-406-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1548-642-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1552-334-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1560-285-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1624-763-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1652-697-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1656-708-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1676-452-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1716-873-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1724-551-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1724-247-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1732-323-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1820-151-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1820-141-0x00000000003B0000-0x00000000003EA000-memory.dmp

Filesize
232KB

Download
memory/1820-142-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1820-152-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1820-150-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1820-160-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1820-155-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1884-686-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1932-840-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1996-608-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2068-197-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2068-507-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2120-785-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2120-485-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2144-719-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2192-345-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2212-595-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2288-741-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2296-113-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2296-111-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2296-103-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2296-102-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2296-93-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2296-92-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2296-105-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2296-94-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2296-114-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/2324-441-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2412-63-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2412-86-0x0000000003F90000-0x0000000004062000-memory.dmp

Filesize
840KB

Download
memory/2412-64-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2412-65-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2412-82-0x0000000003E50000-0x0000000003E60000-memory.dmp

Filesize
64KB

Download
memory/2412-80-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2412-66-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2412-77-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2412-74-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2412-79-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2412-75-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2412-91-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2412-90-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2412-78-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-76-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2472-419-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2536-61-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2536-42-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2536-62-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/2536-54-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2536-55-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2536-43-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-631-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2576-664-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2680-393-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2712-430-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2756-381-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2772-653-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2836-675-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2868-41-0x0000000000340000-0x000000000037A000-memory.dmp

Filesize
232KB

Download
memory/2868-40-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2868-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2868-26-0x0000000003FC0000-0x0000000004092000-memory.dmp

Filesize
840KB

Download
memory/2868-5-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2868-21-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2868-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000340000-0x000000000037A000-memory.dmp

Filesize
232KB

Download
memory/2868-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2868-20-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2868-22-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2868-39-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2868-6-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2868-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2868-7-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2868-25-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/2868-8-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2868-38-0x0000000003FC0000-0x0000000004092000-memory.dmp

Filesize
840KB

Download
memory/2868-9-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2868-10-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2868-11-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2888-606-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2904-562-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2944-474-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2972-312-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3028-529-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3068-267-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download