cc3635e8f69d39427f470f0c6a687e88ea006c70077601177dd0852778d2ad08

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

G_Server.exe
Size

388KB
MD5

16c8a6096c6a55b0f1ac09b9882ee7b0
SHA1

48840eb1d44b376479553c99e33d1020b8031c66
SHA256

83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13
SHA512

89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5
SSDEEP

12288:JPgzpWVpdgb8Q2fG3Fd4WxbDCy2anwWhan:PTX+JxbDQu3An

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEG_Server.exeKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	G_Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	KERNEL32.EXE

Executes dropped EXE 64 IoCs

Processes:

KERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

pid	process
4684	KERNEL32.EXE
1180	KERNEL32.EXE
1644	KERNEL32.EXE
4632	KERNEL32.EXE
1404	KERNEL32.EXE
1744	KERNEL32.EXE
1396	KERNEL32.EXE
2764	KERNEL32.EXE
2452	KERNEL32.EXE
3256	KERNEL32.EXE
4948	KERNEL32.EXE
4740	KERNEL32.EXE
1764	KERNEL32.EXE
3492	KERNEL32.EXE
2584	KERNEL32.EXE
372	KERNEL32.EXE
2428	KERNEL32.EXE
4564	KERNEL32.EXE
2480	KERNEL32.EXE
552	KERNEL32.EXE
4424	KERNEL32.EXE
2680	KERNEL32.EXE
2132	KERNEL32.EXE
2404	KERNEL32.EXE
3512	KERNEL32.EXE
1008	KERNEL32.EXE
372	KERNEL32.EXE
3508	KERNEL32.EXE
4148	KERNEL32.EXE
1048	KERNEL32.EXE
444	KERNEL32.EXE
3672	KERNEL32.EXE
1032	KERNEL32.EXE
3564	KERNEL32.EXE
2240	KERNEL32.EXE
4352	KERNEL32.EXE
2732	KERNEL32.EXE
4332	KERNEL32.EXE
3464	KERNEL32.EXE
948	KERNEL32.EXE
4164	KERNEL32.EXE
548	KERNEL32.EXE
2856	KERNEL32.EXE
3752	KERNEL32.EXE
1200	KERNEL32.EXE
2640	KERNEL32.EXE
4732	KERNEL32.EXE
2808	KERNEL32.EXE
2260	KERNEL32.EXE
4924	KERNEL32.EXE
3684	KERNEL32.EXE
828	KERNEL32.EXE
1048	KERNEL32.EXE
4636	KERNEL32.EXE
2680	KERNEL32.EXE
2072	KERNEL32.EXE
4364	KERNEL32.EXE
5088	KERNEL32.EXE
4180	KERNEL32.EXE
4916	KERNEL32.EXE
3288	KERNEL32.EXE
320	KERNEL32.EXE
4900	KERNEL32.EXE
3952	KERNEL32.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\KERNEL32.EXE"	KERNEL32.EXE

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\SYSEXPLR.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File created	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE
File opened for modification	C:\Windows\SysWOW64\KERNEL32.EXE	KERNEL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\SYSEXPLR.EXE %1"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\Shell\open\command	KERNEL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	KERNEL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

G_Server.exeKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXEKERNEL32.EXE

description	pid	process	target process
PID 548 wrote to memory of 4684	548	G_Server.exe	KERNEL32.EXE
PID 548 wrote to memory of 4684	548	G_Server.exe	KERNEL32.EXE
PID 548 wrote to memory of 4684	548	G_Server.exe	KERNEL32.EXE
PID 4684 wrote to memory of 1180	4684	KERNEL32.EXE	KERNEL32.EXE
PID 4684 wrote to memory of 1180	4684	KERNEL32.EXE	KERNEL32.EXE
PID 4684 wrote to memory of 1180	4684	KERNEL32.EXE	KERNEL32.EXE
PID 1180 wrote to memory of 1644	1180	KERNEL32.EXE	KERNEL32.EXE
PID 1180 wrote to memory of 1644	1180	KERNEL32.EXE	KERNEL32.EXE
PID 1180 wrote to memory of 1644	1180	KERNEL32.EXE	KERNEL32.EXE
PID 1644 wrote to memory of 4632	1644	KERNEL32.EXE	KERNEL32.EXE
PID 1644 wrote to memory of 4632	1644	KERNEL32.EXE	KERNEL32.EXE
PID 1644 wrote to memory of 4632	1644	KERNEL32.EXE	KERNEL32.EXE
PID 4632 wrote to memory of 1404	4632	KERNEL32.EXE	KERNEL32.EXE
PID 4632 wrote to memory of 1404	4632	KERNEL32.EXE	KERNEL32.EXE
PID 4632 wrote to memory of 1404	4632	KERNEL32.EXE	KERNEL32.EXE
PID 1404 wrote to memory of 1744	1404	KERNEL32.EXE	KERNEL32.EXE
PID 1404 wrote to memory of 1744	1404	KERNEL32.EXE	KERNEL32.EXE
PID 1404 wrote to memory of 1744	1404	KERNEL32.EXE	KERNEL32.EXE
PID 1744 wrote to memory of 1396	1744	KERNEL32.EXE	KERNEL32.EXE
PID 1744 wrote to memory of 1396	1744	KERNEL32.EXE	KERNEL32.EXE
PID 1744 wrote to memory of 1396	1744	KERNEL32.EXE	KERNEL32.EXE
PID 1396 wrote to memory of 2764	1396	KERNEL32.EXE	KERNEL32.EXE
PID 1396 wrote to memory of 2764	1396	KERNEL32.EXE	KERNEL32.EXE
PID 1396 wrote to memory of 2764	1396	KERNEL32.EXE	KERNEL32.EXE
PID 2764 wrote to memory of 2452	2764	KERNEL32.EXE	KERNEL32.EXE
PID 2764 wrote to memory of 2452	2764	KERNEL32.EXE	KERNEL32.EXE
PID 2764 wrote to memory of 2452	2764	KERNEL32.EXE	KERNEL32.EXE
PID 2452 wrote to memory of 3256	2452	KERNEL32.EXE	KERNEL32.EXE
PID 2452 wrote to memory of 3256	2452	KERNEL32.EXE	KERNEL32.EXE
PID 2452 wrote to memory of 3256	2452	KERNEL32.EXE	KERNEL32.EXE
PID 3256 wrote to memory of 4948	3256	KERNEL32.EXE	KERNEL32.EXE
PID 3256 wrote to memory of 4948	3256	KERNEL32.EXE	KERNEL32.EXE
PID 3256 wrote to memory of 4948	3256	KERNEL32.EXE	KERNEL32.EXE
PID 4948 wrote to memory of 4740	4948	KERNEL32.EXE	KERNEL32.EXE
PID 4948 wrote to memory of 4740	4948	KERNEL32.EXE	KERNEL32.EXE
PID 4948 wrote to memory of 4740	4948	KERNEL32.EXE	KERNEL32.EXE
PID 4740 wrote to memory of 1764	4740	KERNEL32.EXE	KERNEL32.EXE
PID 4740 wrote to memory of 1764	4740	KERNEL32.EXE	KERNEL32.EXE
PID 4740 wrote to memory of 1764	4740	KERNEL32.EXE	KERNEL32.EXE
PID 1764 wrote to memory of 3492	1764	KERNEL32.EXE	KERNEL32.EXE
PID 1764 wrote to memory of 3492	1764	KERNEL32.EXE	KERNEL32.EXE
PID 1764 wrote to memory of 3492	1764	KERNEL32.EXE	KERNEL32.EXE
PID 3492 wrote to memory of 2584	3492	KERNEL32.EXE	KERNEL32.EXE
PID 3492 wrote to memory of 2584	3492	KERNEL32.EXE	KERNEL32.EXE
PID 3492 wrote to memory of 2584	3492	KERNEL32.EXE	KERNEL32.EXE
PID 2584 wrote to memory of 372	2584	KERNEL32.EXE	KERNEL32.EXE
PID 2584 wrote to memory of 372	2584	KERNEL32.EXE	KERNEL32.EXE
PID 2584 wrote to memory of 372	2584	KERNEL32.EXE	KERNEL32.EXE
PID 372 wrote to memory of 2428	372	KERNEL32.EXE	KERNEL32.EXE
PID 372 wrote to memory of 2428	372	KERNEL32.EXE	KERNEL32.EXE
PID 372 wrote to memory of 2428	372	KERNEL32.EXE	KERNEL32.EXE
PID 2428 wrote to memory of 4564	2428	KERNEL32.EXE	KERNEL32.EXE
PID 2428 wrote to memory of 4564	2428	KERNEL32.EXE	KERNEL32.EXE
PID 2428 wrote to memory of 4564	2428	KERNEL32.EXE	KERNEL32.EXE
PID 4564 wrote to memory of 2480	4564	KERNEL32.EXE	KERNEL32.EXE
PID 4564 wrote to memory of 2480	4564	KERNEL32.EXE	KERNEL32.EXE
PID 4564 wrote to memory of 2480	4564	KERNEL32.EXE	KERNEL32.EXE
PID 2480 wrote to memory of 552	2480	KERNEL32.EXE	KERNEL32.EXE
PID 2480 wrote to memory of 552	2480	KERNEL32.EXE	KERNEL32.EXE
PID 2480 wrote to memory of 552	2480	KERNEL32.EXE	KERNEL32.EXE
PID 552 wrote to memory of 4424	552	KERNEL32.EXE	KERNEL32.EXE
PID 552 wrote to memory of 4424	552	KERNEL32.EXE	KERNEL32.EXE
PID 552 wrote to memory of 4424	552	KERNEL32.EXE	KERNEL32.EXE
PID 4424 wrote to memory of 2680	4424	KERNEL32.EXE	KERNEL32.EXE

C:\Users\Admin\AppData\Local\Temp\G_Server.exe
"C:\Users\Admin\AppData\Local\Temp\G_Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
5⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
13⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
14⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
18⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
19⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
21⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
23⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
24⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
25⤵
- Executes dropped EXE
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
26⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
27⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:1008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
28⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
29⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3508

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
30⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
31⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
32⤵
- Executes dropped EXE
- Modifies registry class
PID:444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
33⤵
- Checks computer location settings
- Executes dropped EXE
PID:3672

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
34⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
35⤵
- Executes dropped EXE
PID:3564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4352

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
38⤵
- Executes dropped EXE
PID:2732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
39⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
41⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
42⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4164

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
43⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
44⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
PID:2856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
45⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
46⤵
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
48⤵
- Executes dropped EXE
PID:4732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2808

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2260

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4924

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
52⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
53⤵
- Executes dropped EXE
- Modifies registry class
PID:828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
58⤵
- Executes dropped EXE
- Modifies system executable filetype association
PID:4364

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
59⤵
- Executes dropped EXE
PID:5088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
60⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
PID:4180

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
61⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
62⤵
- Executes dropped EXE
- Modifies registry class
PID:3288

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
63⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
PID:320

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
64⤵
- Executes dropped EXE
PID:4900

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
65⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
66⤵
- Checks computer location settings
PID:828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
67⤵
PID:1048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
68⤵
PID:4428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
69⤵
- Modifies registry class
PID:4040

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
70⤵
- Adds Run key to start application
- Modifies registry class
PID:3384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
71⤵
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
PID:4464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
72⤵
PID:2556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
73⤵
- Modifies registry class
PID:3556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
74⤵
- Modifies registry class
PID:4336

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
75⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
76⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:1876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
77⤵
- Modifies registry class
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
78⤵
PID:2452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
79⤵
PID:2868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
80⤵
PID:3140

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
81⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
82⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
83⤵
- Checks computer location settings
- Modifies registry class
PID:1616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
84⤵
- Adds Run key to start application
PID:2156

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
85⤵
PID:2468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
86⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4336

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
87⤵
PID:1912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
88⤵
- Checks computer location settings
PID:4112

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
89⤵
PID:1372

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
90⤵
- Checks computer location settings
- Adds Run key to start application
PID:2856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
91⤵
- Adds Run key to start application
PID:4068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
92⤵
PID:4876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
93⤵
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
94⤵
- Modifies system executable filetype association
PID:1556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
95⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
96⤵
PID:4756

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
97⤵
PID:804

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
98⤵
- Checks computer location settings
PID:3860

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
99⤵
- Adds Run key to start application
PID:3272

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
100⤵
- Modifies system executable filetype association
PID:2680

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
101⤵
- Checks computer location settings
PID:4700

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
102⤵
- Drops file in System32 directory
PID:3212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
103⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
PID:5088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
104⤵
- Checks computer location settings
PID:4880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
105⤵
PID:1712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
106⤵
PID:2552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
107⤵
- Checks computer location settings
PID:1036

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
108⤵
PID:1064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
109⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4900

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
110⤵
- Checks computer location settings
PID:1748

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
111⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2484

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
112⤵
- Modifies system executable filetype association
PID:3492

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
113⤵
- Adds Run key to start application
PID:4840

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
114⤵
PID:4700

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
115⤵
PID:4644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
117⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
118⤵
PID:4940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
119⤵
PID:4500

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
120⤵
PID:372

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
121⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
122⤵
PID:1064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
123⤵
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
PID:492

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
124⤵
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
125⤵
- Modifies system executable filetype association
PID:3492

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
126⤵
PID:1072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
127⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:3384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
128⤵
- Checks computer location settings
PID:1464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
129⤵
- Drops file in System32 directory
- Modifies registry class
PID:2592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
130⤵
PID:4024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
131⤵
- Modifies registry class
PID:1712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
132⤵
- Checks computer location settings
- Modifies registry class
PID:1180

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
133⤵
- Adds Run key to start application
PID:1896

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
134⤵
- Modifies system executable filetype association
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
135⤵
- Checks computer location settings
- Modifies system executable filetype association
PID:4772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
136⤵
PID:4928

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
137⤵
PID:4740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
138⤵
- Adds Run key to start application
PID:3960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
139⤵
- Modifies system executable filetype association
PID:3172

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
140⤵
- Adds Run key to start application
PID:4640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
141⤵
PID:4920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
142⤵
PID:948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
143⤵
PID:2516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
144⤵
- Adds Run key to start application
PID:1644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
145⤵
PID:4996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
146⤵
- Adds Run key to start application
- Modifies registry class
PID:1904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
147⤵
- Checks computer location settings
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
148⤵
PID:1072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
149⤵
- Modifies system executable filetype association
PID:4880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
150⤵
PID:3384

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
151⤵
PID:3696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
152⤵
PID:4324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
153⤵
- Adds Run key to start application
PID:1820

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
154⤵
- Checks computer location settings
PID:3952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
155⤵
- Drops file in System32 directory
- Modifies registry class
PID:3908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
156⤵
- Checks computer location settings
PID:4164

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
157⤵
PID:1032

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
158⤵
- Modifies registry class
PID:4108

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
159⤵
- Checks computer location settings
- Adds Run key to start application
PID:4956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
160⤵
PID:4100

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
161⤵
- Checks computer location settings
PID:4740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
162⤵
PID:3404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
163⤵
PID:2876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
164⤵
- Checks computer location settings
PID:1240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
165⤵
- Adds Run key to start application
PID:4528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
166⤵
PID:3440

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
167⤵
PID:2452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
168⤵
PID:4240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
169⤵
- Adds Run key to start application
PID:1128

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
170⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
PID:2148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
171⤵
- Checks computer location settings
PID:3232

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
172⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
173⤵
- Modifies system executable filetype association
PID:5088

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
174⤵
- Modifies system executable filetype association
PID:2124

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
175⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
176⤵
PID:2468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
177⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:3584

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
178⤵
- Adds Run key to start application
PID:4912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
179⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
180⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
181⤵
- Modifies registry class
PID:4788

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
182⤵
PID:2128

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
183⤵
- Drops file in System32 directory
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
184⤵
- Checks computer location settings
PID:1904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
185⤵
PID:3052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
186⤵
PID:4284

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
187⤵
- Modifies registry class
PID:4712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
188⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2156

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
189⤵
- Checks computer location settings
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
190⤵
- Checks computer location settings
PID:2184

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
191⤵
PID:3568

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
192⤵
PID:948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
193⤵
PID:3440

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
194⤵
- Drops file in System32 directory
PID:3432

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
195⤵
- Drops file in System32 directory
PID:4788

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
196⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:1716

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
197⤵
- Adds Run key to start application
PID:1460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
198⤵
- Adds Run key to start application
PID:1852

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
199⤵
PID:4660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
200⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1832

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
201⤵
- Modifies system executable filetype association
PID:4712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
202⤵
- Modifies registry class
PID:2876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
203⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4184

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
204⤵
- Checks computer location settings
PID:5068

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
205⤵
- Modifies system executable filetype association
PID:1400

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
206⤵
- Modifies registry class
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
207⤵
PID:2356

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
208⤵
- Modifies system executable filetype association
PID:4864

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
209⤵
- Modifies registry class
PID:1580

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
210⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
PID:2808

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
211⤵
- Adds Run key to start application
PID:1072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
212⤵
- Drops file in System32 directory
PID:4828

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
213⤵
- Checks computer location settings
PID:3452

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
214⤵
- Modifies system executable filetype association
PID:1712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
215⤵
PID:2448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
216⤵
- Drops file in System32 directory
- Modifies registry class
PID:2876

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
217⤵
- Checks computer location settings
PID:116

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
218⤵
PID:2484

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
219⤵
- Adds Run key to start application
- Modifies registry class
PID:1980

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
220⤵
PID:948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
221⤵
PID:3152

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
222⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
223⤵
- Modifies registry class
PID:920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
224⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
225⤵
PID:2552

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
226⤵
- Adds Run key to start application
PID:3720

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
227⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4924

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
228⤵
- Modifies system executable filetype association
PID:3240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
229⤵
- Modifies system executable filetype association
PID:3272

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
230⤵
- Adds Run key to start application
- Modifies registry class
PID:3932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
231⤵
- Modifies system executable filetype association
PID:1400

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
232⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3672

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
233⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:4028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
234⤵
- Adds Run key to start application
PID:1316

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
235⤵
- Modifies registry class
PID:4424

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
236⤵
- Adds Run key to start application
PID:4628

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
237⤵
PID:4716

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
238⤵
- Modifies system executable filetype association
PID:4660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
239⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:1512

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
240⤵
PID:4324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
241⤵
- Modifies registry class
PID:4024

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
242⤵
PID:2528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
243⤵
PID:3844

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
244⤵
- Checks computer location settings
PID:2440

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
245⤵
PID:3740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
246⤵
PID:1520

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
247⤵
PID:3444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
248⤵
- Modifies registry class
PID:4056

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
249⤵
- Drops file in System32 directory
PID:420

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
250⤵
- Drops file in System32 directory
- Modifies registry class
PID:4180

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
251⤵
- Modifies system executable filetype association
- Drops file in System32 directory
PID:4628

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
252⤵
PID:4760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
253⤵
- Adds Run key to start application
PID:4660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
254⤵
- Checks computer location settings
PID:3264

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
255⤵
PID:2168

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
256⤵
PID:3676

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
257⤵
- Checks computer location settings
PID:2516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
258⤵
- Adds Run key to start application
PID:1644

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
259⤵
- Modifies system executable filetype association
PID:2988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
260⤵
PID:4688

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
261⤵
- Checks computer location settings
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
262⤵
- Drops file in System32 directory
PID:4956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
263⤵
PID:1176

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
264⤵
- Adds Run key to start application
PID:1464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
265⤵
PID:1928

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
266⤵
- Drops file in System32 directory
PID:2356

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
267⤵
PID:4712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
268⤵
PID:3684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
269⤵
- Checks computer location settings
- Modifies registry class
PID:460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
270⤵
- Checks computer location settings
PID:4112

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
271⤵
- Modifies system executable filetype association
PID:4352

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
272⤵
- Checks computer location settings
PID:4912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
273⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
PID:1592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
274⤵
- Checks computer location settings
- Adds Run key to start application
PID:5108

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
275⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1884

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
276⤵
- Drops file in System32 directory
PID:2588

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
277⤵
- Modifies system executable filetype association
PID:5076

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
278⤵
- Drops file in System32 directory
- Modifies registry class
PID:1904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
279⤵
- Drops file in System32 directory
PID:1516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
280⤵
PID:420

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
281⤵
PID:1928

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
282⤵
PID:4704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
283⤵
PID:1640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
284⤵
- Modifies system executable filetype association
PID:1224

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
285⤵
- Modifies system executable filetype association
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
286⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3272

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
287⤵
- Drops file in System32 directory
PID:4772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
288⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4296

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
289⤵
- Drops file in System32 directory
PID:2988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
290⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
PID:4432

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
291⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
292⤵
PID:880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
293⤵
PID:2148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
294⤵
PID:1008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
295⤵
PID:1516

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
296⤵
PID:4168

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
297⤵
PID:1240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
298⤵
- Modifies system executable filetype association
PID:2960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
299⤵
- Drops file in System32 directory
PID:1228

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
300⤵
PID:1372

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
301⤵
- Adds Run key to start application
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
302⤵
- Checks computer location settings
PID:4920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
303⤵
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
304⤵
PID:3932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
305⤵
PID:916

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
306⤵
- Checks computer location settings
PID:4960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
307⤵
- Checks computer location settings
- Modifies system executable filetype association
PID:4536

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
308⤵
PID:4940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
309⤵
PID:8

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
310⤵
- Modifies system executable filetype association
PID:3572

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
311⤵
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
312⤵
PID:1528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
313⤵
- Modifies registry class
PID:1240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
314⤵
- Modifies system executable filetype association
- Adds Run key to start application
PID:4636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
315⤵
- Checks computer location settings
PID:1184

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
316⤵
PID:3860

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
317⤵
- Checks computer location settings
PID:1880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
318⤵
- Drops file in System32 directory
PID:2772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
319⤵
- Modifies system executable filetype association
PID:2396

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
320⤵
PID:1556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
321⤵
- Modifies system executable filetype association
PID:3988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
322⤵
- Modifies system executable filetype association
PID:1804

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
323⤵
PID:4860

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
324⤵
PID:2804

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
325⤵
PID:4392

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
326⤵
PID:1652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
327⤵
PID:560

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
328⤵
PID:4924

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
329⤵
PID:3788

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
330⤵
PID:2744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
331⤵
PID:3708

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
332⤵
PID:3824

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
333⤵
PID:1164

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
334⤵
PID:4296

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
335⤵
PID:3432

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
336⤵
PID:4956

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
337⤵
PID:3912

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
338⤵
PID:3204

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
339⤵
PID:3656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
340⤵
PID:2952

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
341⤵
PID:4760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
342⤵
PID:1028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
343⤵
PID:4764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
344⤵
PID:4472

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
345⤵
PID:4508

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
346⤵
PID:1696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
347⤵
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
348⤵
PID:1428

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
349⤵
PID:4052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
350⤵
PID:4064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
351⤵
PID:4280

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
352⤵
PID:4880

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
353⤵
PID:2988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
354⤵
PID:1460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
355⤵
PID:3008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
356⤵
PID:1444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
357⤵
PID:4736

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
358⤵
PID:4696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
359⤵
PID:1652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
360⤵
PID:4660

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
361⤵
PID:2732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
362⤵
PID:1128

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
363⤵
PID:3672

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
364⤵
PID:1696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
365⤵
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
366⤵
PID:1292

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
367⤵
PID:4720

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
368⤵
PID:2948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
369⤵
PID:940

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
370⤵
PID:1464

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
371⤵
PID:3960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
372⤵
PID:2684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
373⤵
PID:3008

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
374⤵
PID:1444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
375⤵
PID:5012

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
376⤵
PID:4696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
377⤵
PID:4048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
378⤵
PID:4764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
379⤵
PID:2272

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
380⤵
PID:4636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
381⤵
PID:2752

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
382⤵
PID:1920

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
383⤵
PID:3212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
384⤵
PID:4772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
385⤵
PID:4720

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
386⤵
PID:1868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
387⤵
PID:4460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
388⤵
PID:236

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
389⤵
PID:1380

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
390⤵
PID:4192

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
391⤵
PID:4856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
392⤵
PID:3948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
393⤵
PID:1244

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
394⤵
PID:1712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
395⤵
PID:2448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
396⤵
PID:1632

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
397⤵
PID:1228

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
398⤵
PID:4664

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
399⤵
PID:3984

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
400⤵
PID:416

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
401⤵
PID:3212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
402⤵
PID:4772

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
403⤵
PID:4908

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
404⤵
PID:2404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
405⤵
PID:3616

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
406⤵
PID:4576

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
407⤵
PID:3164

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
408⤵
PID:4324

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
409⤵
PID:2432

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
410⤵
PID:3192

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
411⤵
PID:3788

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
412⤵
PID:2484

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
413⤵
PID:1808

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
414⤵
PID:2020

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
415⤵
PID:3188

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
416⤵
PID:2860

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
417⤵
PID:1996

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
418⤵
PID:4960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
419⤵
PID:4400

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
420⤵
PID:1832

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
421⤵
PID:1732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
422⤵
PID:4100

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
423⤵
PID:972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
424⤵
PID:2960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
425⤵
PID:656

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
426⤵
PID:4564

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
427⤵
PID:4668

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
428⤵
PID:4916

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
429⤵
PID:3492

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
430⤵
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
431⤵
PID:3268

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
432⤵
PID:1220

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
433⤵
PID:2476

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
434⤵
PID:2988

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
435⤵
PID:4628

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
436⤵
PID:4148

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
437⤵
PID:3260

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
438⤵
PID:1012

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
439⤵
PID:1928

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
440⤵
PID:1944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
441⤵
PID:3724

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
442⤵
PID:1468

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
443⤵
PID:740

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
444⤵
PID:3440

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
445⤵
PID:3900

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
446⤵
PID:4048

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
447⤵
PID:2764

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
448⤵
PID:2664

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
449⤵
PID:1904

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
450⤵
PID:4304

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
451⤵
PID:1684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
452⤵
PID:3288

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
453⤵
PID:3732

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
454⤵
PID:1820

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
455⤵
PID:1028

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
456⤵
PID:4528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
457⤵
PID:4652

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
458⤵
PID:1248

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
459⤵
PID:3208

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
460⤵
PID:2128

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
461⤵
PID:4108

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
462⤵
PID:2440

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
463⤵
PID:3932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
464⤵
PID:2592

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
465⤵
PID:1900

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
466⤵
PID:4064

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
467⤵
PID:3052

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
468⤵
PID:3540

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
469⤵
PID:3868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
470⤵
PID:4548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
471⤵
PID:4824

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
472⤵
PID:444

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
473⤵
PID:2456

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
474⤵
PID:5004

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
475⤵
PID:2460

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
476⤵
PID:3244

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
477⤵
PID:1240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
478⤵
PID:1964

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
479⤵
PID:4404

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
480⤵
PID:4684

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
481⤵
PID:2072

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
482⤵
PID:3984

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
483⤵
PID:1900

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
484⤵
PID:2944

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
485⤵
PID:3172

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
486⤵
PID:4760

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
487⤵
PID:4856

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
488⤵
PID:1532

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
489⤵
PID:1640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
490⤵
PID:2528

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
491⤵
PID:1948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
492⤵
PID:2484

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
493⤵
PID:4508

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
494⤵
PID:4232

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
495⤵
PID:932

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
496⤵
PID:3216

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
497⤵
PID:1696

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
498⤵
PID:768

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
499⤵
PID:212

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
500⤵
PID:1332

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
501⤵
PID:3640

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
502⤵
PID:3636

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
503⤵
PID:4540

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
504⤵
PID:4712

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
505⤵
PID:3868

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
506⤵
PID:3256

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
507⤵
PID:2960

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
508⤵
PID:3708

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
509⤵
PID:1948

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
510⤵
PID:1744

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
511⤵
PID:4556

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
512⤵
PID:4688

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
513⤵
PID:1408

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
514⤵
PID:1448

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
515⤵
PID:2704

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
516⤵
PID:1972

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
517⤵
PID:1360

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
518⤵
PID:4776

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
519⤵
PID:4864

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
520⤵
PID:3152

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
521⤵
PID:4548

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
522⤵
PID:3240

C:\Windows\SysWOW64\KERNEL32.EXE
"C:\Windows\system32\KERNEL32.EXE"
523⤵
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KERNEL32.EXE
Filesize
388KB

MD5
16c8a6096c6a55b0f1ac09b9882ee7b0

SHA1
48840eb1d44b376479553c99e33d1020b8031c66

SHA256
83f4acc7f2125e46ec8a6a9f205a1340f93322a1a8812ba75db41bd71e606a13

SHA512
89767fad311f15a6a03a8e966651b874d146ef226d9cb08835a555d42065b7fbe333504d60b33e2783b6d680209a4911950a82b4b936e7d9fd5c3c1bf398e1c5

Download Submit
memory/320-1245-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/372-379-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/372-611-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/444-697-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/548-22-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/548-3-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/548-8-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/548-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/548-9-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/548-10-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/548-11-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/548-7-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/548-20-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/548-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/548-21-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/548-4-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/548-37-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/548-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/548-39-0x00000000022C0000-0x00000000022FA000-memory.dmp

Filesize
232KB

Download
memory/548-2-0x00000000022C0000-0x00000000022FA000-memory.dmp

Filesize
232KB

Download
memory/548-890-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/548-6-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/552-466-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/828-1073-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/948-852-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1008-591-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1032-730-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1048-677-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1048-1090-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1180-72-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1180-76-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1180-60-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1180-77-0x0000000002090000-0x00000000020CA000-memory.dmp

Filesize
232KB

Download
memory/1180-73-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1180-64-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1180-75-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1180-83-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1180-74-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1180-82-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1180-84-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1200-943-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1396-196-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1404-161-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1404-130-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1644-100-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1644-109-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1644-85-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1644-97-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1644-96-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1644-99-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1644-101-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1644-107-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1644-105-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1644-98-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1644-108-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1644-95-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1644-93-0x0000000000740000-0x000000000077A000-memory.dmp

Filesize
232KB

Download
memory/1644-94-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1744-173-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1764-324-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2072-1141-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2132-527-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2240-767-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2260-1014-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2404-550-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2428-403-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2452-237-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2480-444-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2584-358-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2640-961-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2680-1124-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2680-508-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2732-801-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2764-216-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2808-998-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2856-909-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3256-256-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3288-1226-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3464-835-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3492-337-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3508-633-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3512-572-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3564-750-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3672-715-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3684-1051-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3752-926-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4148-655-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4164-871-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4180-1193-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4332-818-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4352-786-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4364-1153-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4424-486-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4564-423-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4632-124-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4632-133-0x0000000002030000-0x000000000206A000-memory.dmp

Filesize
232KB

Download
memory/4632-131-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4632-132-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4632-113-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4632-111-0x0000000002030000-0x000000000206A000-memory.dmp

Filesize
232KB

Download
memory/4632-123-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4632-110-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4632-122-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4632-125-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4632-121-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4632-112-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4636-1107-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4684-40-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4684-50-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4684-51-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4684-38-0x00000000008B0000-0x00000000008EA000-memory.dmp

Filesize
232KB

Download
memory/4684-55-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4684-49-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4684-62-0x00000000008B0000-0x00000000008EA000-memory.dmp

Filesize
232KB

Download
memory/4684-52-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4684-61-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4684-48-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4684-33-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4684-54-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4684-53-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4684-63-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4732-979-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4740-295-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4900-1261-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4916-1208-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4924-1032-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4948-277-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5088-1174-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download