Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 05:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
G_Client.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
G_Client.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
G_Server.exe
Resource
win7-20240215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral4
Sample
G_Server.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
G_Server.exe
-
Size
388KB
-
MD5
16c8a6096c6a55b0f1ac09b9882ee7b0
-
SHA1
48840eb1d44b376479553c99e33d1020b8031c66
-
SHA256
83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13
-
SHA512
89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5
-
SSDEEP
12288:JPgzpWVpdgb8Q2fG3Fd4WxbDCy2anwWhan:PTX+JxbDQu3An
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation G_Server.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation KERNEL32.EXE -
Executes dropped EXE 64 IoCs
pid Process 4684 KERNEL32.EXE 1180 KERNEL32.EXE 1644 KERNEL32.EXE 4632 KERNEL32.EXE 1404 KERNEL32.EXE 1744 KERNEL32.EXE 1396 KERNEL32.EXE 2764 KERNEL32.EXE 2452 KERNEL32.EXE 3256 KERNEL32.EXE 4948 KERNEL32.EXE 4740 KERNEL32.EXE 1764 KERNEL32.EXE 3492 KERNEL32.EXE 2584 KERNEL32.EXE 372 KERNEL32.EXE 2428 KERNEL32.EXE 4564 KERNEL32.EXE 2480 KERNEL32.EXE 552 KERNEL32.EXE 4424 KERNEL32.EXE 2680 KERNEL32.EXE 2132 KERNEL32.EXE 2404 KERNEL32.EXE 3512 KERNEL32.EXE 1008 KERNEL32.EXE 372 KERNEL32.EXE 3508 KERNEL32.EXE 4148 KERNEL32.EXE 1048 KERNEL32.EXE 444 KERNEL32.EXE 3672 KERNEL32.EXE 1032 KERNEL32.EXE 3564 KERNEL32.EXE 2240 KERNEL32.EXE 4352 KERNEL32.EXE 2732 KERNEL32.EXE 4332 KERNEL32.EXE 3464 KERNEL32.EXE 948 KERNEL32.EXE 4164 KERNEL32.EXE 548 KERNEL32.EXE 2856 KERNEL32.EXE 3752 KERNEL32.EXE 1200 KERNEL32.EXE 2640 KERNEL32.EXE 4732 KERNEL32.EXE 2808 KERNEL32.EXE 2260 KERNEL32.EXE 4924 KERNEL32.EXE 3684 KERNEL32.EXE 828 KERNEL32.EXE 1048 KERNEL32.EXE 4636 KERNEL32.EXE 2680 KERNEL32.EXE 2072 KERNEL32.EXE 4364 KERNEL32.EXE 5088 KERNEL32.EXE 4180 KERNEL32.EXE 4916 KERNEL32.EXE 3288 KERNEL32.EXE 320 KERNEL32.EXE 4900 KERNEL32.EXE 3952 KERNEL32.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE" KERNEL32.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\SYSEXPLR.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File created C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE File opened for modification C:\Windows\SysWOW64\KERNEL32.EXE KERNEL32.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Key created \REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command KERNEL32.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" KERNEL32.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 4684 548 G_Server.exe 88 PID 548 wrote to memory of 4684 548 G_Server.exe 88 PID 548 wrote to memory of 4684 548 G_Server.exe 88 PID 4684 wrote to memory of 1180 4684 KERNEL32.EXE 89 PID 4684 wrote to memory of 1180 4684 KERNEL32.EXE 89 PID 4684 wrote to memory of 1180 4684 KERNEL32.EXE 89 PID 1180 wrote to memory of 1644 1180 KERNEL32.EXE 90 PID 1180 wrote to memory of 1644 1180 KERNEL32.EXE 90 PID 1180 wrote to memory of 1644 1180 KERNEL32.EXE 90 PID 1644 wrote to memory of 4632 1644 KERNEL32.EXE 91 PID 1644 wrote to memory of 4632 1644 KERNEL32.EXE 91 PID 1644 wrote to memory of 4632 1644 KERNEL32.EXE 91 PID 4632 wrote to memory of 1404 4632 KERNEL32.EXE 92 PID 4632 wrote to memory of 1404 4632 KERNEL32.EXE 92 PID 4632 wrote to memory of 1404 4632 KERNEL32.EXE 92 PID 1404 wrote to memory of 1744 1404 KERNEL32.EXE 94 PID 1404 wrote to memory of 1744 1404 KERNEL32.EXE 94 PID 1404 wrote to memory of 1744 1404 KERNEL32.EXE 94 PID 1744 wrote to memory of 1396 1744 KERNEL32.EXE 95 PID 1744 wrote to memory of 1396 1744 KERNEL32.EXE 95 PID 1744 wrote to memory of 1396 1744 KERNEL32.EXE 95 PID 1396 wrote to memory of 2764 1396 KERNEL32.EXE 96 PID 1396 wrote to memory of 2764 1396 KERNEL32.EXE 96 PID 1396 wrote to memory of 2764 1396 KERNEL32.EXE 96 PID 2764 wrote to memory of 2452 2764 KERNEL32.EXE 97 PID 2764 wrote to memory of 2452 2764 KERNEL32.EXE 97 PID 2764 wrote to memory of 2452 2764 KERNEL32.EXE 97 PID 2452 wrote to memory of 3256 2452 KERNEL32.EXE 98 PID 2452 wrote to memory of 3256 2452 KERNEL32.EXE 98 PID 2452 wrote to memory of 3256 2452 KERNEL32.EXE 98 PID 3256 wrote to memory of 4948 3256 KERNEL32.EXE 100 PID 3256 wrote to memory of 4948 3256 KERNEL32.EXE 100 PID 3256 wrote to memory of 4948 3256 KERNEL32.EXE 100 PID 4948 wrote to memory of 4740 4948 KERNEL32.EXE 101 PID 4948 wrote to memory of 4740 4948 KERNEL32.EXE 101 PID 4948 wrote to memory of 4740 4948 KERNEL32.EXE 101 PID 4740 wrote to memory of 1764 4740 KERNEL32.EXE 102 PID 4740 wrote to memory of 1764 4740 KERNEL32.EXE 102 PID 4740 wrote to memory of 1764 4740 KERNEL32.EXE 102 PID 1764 wrote to memory of 3492 1764 KERNEL32.EXE 103 PID 1764 wrote to memory of 3492 1764 KERNEL32.EXE 103 PID 1764 wrote to memory of 3492 1764 KERNEL32.EXE 103 PID 3492 wrote to memory of 2584 3492 KERNEL32.EXE 104 PID 3492 wrote to memory of 2584 3492 KERNEL32.EXE 104 PID 3492 wrote to memory of 2584 3492 KERNEL32.EXE 104 PID 2584 wrote to memory of 372 2584 KERNEL32.EXE 118 PID 2584 wrote to memory of 372 2584 KERNEL32.EXE 118 PID 2584 wrote to memory of 372 2584 KERNEL32.EXE 118 PID 372 wrote to memory of 2428 372 KERNEL32.EXE 107 PID 372 wrote to memory of 2428 372 KERNEL32.EXE 107 PID 372 wrote to memory of 2428 372 KERNEL32.EXE 107 PID 2428 wrote to memory of 4564 2428 KERNEL32.EXE 108 PID 2428 wrote to memory of 4564 2428 KERNEL32.EXE 108 PID 2428 wrote to memory of 4564 2428 KERNEL32.EXE 108 PID 4564 wrote to memory of 2480 4564 KERNEL32.EXE 109 PID 4564 wrote to memory of 2480 4564 KERNEL32.EXE 109 PID 4564 wrote to memory of 2480 4564 KERNEL32.EXE 109 PID 2480 wrote to memory of 552 2480 KERNEL32.EXE 111 PID 2480 wrote to memory of 552 2480 KERNEL32.EXE 111 PID 2480 wrote to memory of 552 2480 KERNEL32.EXE 111 PID 552 wrote to memory of 4424 552 KERNEL32.EXE 112 PID 552 wrote to memory of 4424 552 KERNEL32.EXE 112 PID 552 wrote to memory of 4424 552 KERNEL32.EXE 112 PID 4424 wrote to memory of 2680 4424 KERNEL32.EXE 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\G_Server.exe"C:\Users\Admin\AppData\Local\Temp\G_Server.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"5⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"13⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"14⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"18⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"21⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"23⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"24⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"25⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"26⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"27⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:1008 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"28⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"29⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3508 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"30⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"31⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1048 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"32⤵
- Executes dropped EXE
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"33⤵
- Checks computer location settings
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"34⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"35⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"36⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2240 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4352 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"38⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"39⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"41⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"42⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"43⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"44⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
PID:2856 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"45⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"46⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"48⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"52⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3684 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"53⤵
- Executes dropped EXE
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2680 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2072 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"58⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:4364 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"59⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"60⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
PID:4180 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"61⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"62⤵
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"63⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
PID:320 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"64⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"65⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"66⤵
- Checks computer location settings
PID:828 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"67⤵PID:1048
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"68⤵PID:4428
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"69⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"70⤵
- Adds Run key to start application
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"71⤵
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
PID:4464 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"72⤵PID:2556
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"73⤵
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"74⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"75⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"76⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"77⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"78⤵PID:2452
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"79⤵PID:2868
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"80⤵PID:3140
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"81⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"82⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"83⤵
- Checks computer location settings
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"84⤵
- Adds Run key to start application
PID:2156 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"85⤵PID:2468
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"86⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"87⤵PID:1912
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"88⤵
- Checks computer location settings
PID:4112 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"89⤵PID:1372
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"90⤵
- Checks computer location settings
- Adds Run key to start application
PID:2856 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"91⤵
- Adds Run key to start application
PID:4068 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"92⤵PID:4876
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"93⤵PID:2404
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"94⤵
- Modifies system executable filetype association
PID:1556 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"95⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5072 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"96⤵PID:4756
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"97⤵PID:804
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"98⤵
- Checks computer location settings
PID:3860 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"99⤵
- Adds Run key to start application
PID:3272 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"100⤵
- Modifies system executable filetype association
PID:2680 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"101⤵
- Checks computer location settings
PID:4700 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"102⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"103⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"104⤵
- Checks computer location settings
PID:4880 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"105⤵PID:1712
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"106⤵PID:2552
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"107⤵
- Checks computer location settings
PID:1036 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"108⤵PID:1064
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"109⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"110⤵
- Checks computer location settings
PID:1748 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"111⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"112⤵
- Modifies system executable filetype association
PID:3492 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"113⤵
- Adds Run key to start application
PID:4840 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"114⤵PID:4700
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"115⤵PID:4644
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"117⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"118⤵PID:4940
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"119⤵PID:4500
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"120⤵PID:372
-
C:\Windows\SysWOW64\KERNEL32.EXE"C:\Windows\system32\KERNEL32.EXE"121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-