Analysis
-
max time kernel
44s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 21:11
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 44 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 44 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 44 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 12 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 44 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 46 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825a646f8,0x7ff825a64708,0x7ff825a647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
- Sets file to hidden
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV152⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h97⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h97⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"97⤵
-
C:\Windows\SysWOW64\notepad.exenotepad98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h98⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"98⤵
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h99⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h99⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"99⤵
-
C:\Windows\SysWOW64\notepad.exenotepad100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h100⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h100⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"100⤵
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h101⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"101⤵
-
C:\Windows\SysWOW64\notepad.exenotepad102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h102⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h102⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"102⤵
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h103⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"103⤵
-
C:\Windows\SysWOW64\notepad.exenotepad104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h104⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"104⤵
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h105⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"105⤵
-
C:\Windows\SysWOW64\notepad.exenotepad106⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h106⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h106⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"106⤵
-
C:\Windows\SysWOW64\notepad.exenotepad107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h107⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"107⤵
-
C:\Windows\SysWOW64\notepad.exenotepad108⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h108⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h108⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"108⤵
-
C:\Windows\SysWOW64\notepad.exenotepad109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h109⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h109⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"109⤵
-
C:\Windows\SysWOW64\notepad.exenotepad110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h110⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"110⤵
-
C:\Windows\SysWOW64\notepad.exenotepad111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h111⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"111⤵
-
C:\Windows\SysWOW64\notepad.exenotepad112⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h112⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h112⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"112⤵
-
C:\Windows\SysWOW64\notepad.exenotepad113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h113⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h113⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"113⤵
-
C:\Windows\SysWOW64\notepad.exenotepad114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h114⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"114⤵
-
C:\Windows\SysWOW64\notepad.exenotepad115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h115⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"115⤵
-
C:\Windows\SysWOW64\notepad.exenotepad116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h116⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"116⤵
-
C:\Windows\SysWOW64\notepad.exenotepad117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h117⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"117⤵
-
C:\Windows\SysWOW64\notepad.exenotepad118⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h118⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h118⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"118⤵
-
C:\Windows\SysWOW64\notepad.exenotepad119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h119⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"119⤵
-
C:\Windows\SysWOW64\notepad.exenotepad120⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h120⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h120⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"120⤵
-
C:\Windows\SysWOW64\notepad.exenotepad121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h121⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"121⤵
-
C:\Windows\SysWOW64\notepad.exenotepad122⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h122⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h122⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"122⤵
-
C:\Windows\SysWOW64\notepad.exenotepad123⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h123⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h123⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"123⤵
-
C:\Windows\SysWOW64\notepad.exenotepad124⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h124⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h124⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"124⤵
-
C:\Windows\SysWOW64\notepad.exenotepad125⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h125⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h125⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"125⤵
-
C:\Windows\SysWOW64\notepad.exenotepad126⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h126⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h126⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"126⤵
-
C:\Windows\SysWOW64\notepad.exenotepad127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h127⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"127⤵
-
C:\Windows\SysWOW64\notepad.exenotepad128⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h128⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h128⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"128⤵
-
C:\Windows\SysWOW64\notepad.exenotepad129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h129⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h129⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"129⤵
-
C:\Windows\SysWOW64\notepad.exenotepad130⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h130⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h130⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"130⤵
-
C:\Windows\SysWOW64\notepad.exenotepad131⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h131⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h131⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"131⤵
-
C:\Windows\SysWOW64\notepad.exenotepad132⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h132⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h132⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"132⤵
-
C:\Windows\SysWOW64\notepad.exenotepad133⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h133⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h133⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"133⤵
-
C:\Windows\SysWOW64\notepad.exenotepad134⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h134⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h134⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"134⤵
-
C:\Windows\SysWOW64\notepad.exenotepad135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h135⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"135⤵
-
C:\Windows\SysWOW64\notepad.exenotepad136⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h136⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h136⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"136⤵
-
C:\Windows\SysWOW64\notepad.exenotepad137⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h137⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h137⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"137⤵
-
C:\Windows\SysWOW64\notepad.exenotepad138⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h138⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h138⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"138⤵
-
C:\Windows\SysWOW64\notepad.exenotepad139⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h139⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h139⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"139⤵
-
C:\Windows\SysWOW64\notepad.exenotepad140⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h140⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h140⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"140⤵
-
C:\Windows\SysWOW64\notepad.exenotepad141⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h141⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h141⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"141⤵
-
C:\Windows\SysWOW64\notepad.exenotepad142⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h142⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h142⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"142⤵
-
C:\Windows\SysWOW64\notepad.exenotepad143⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h143⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h143⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"143⤵
-
C:\Windows\SysWOW64\notepad.exenotepad144⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h144⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h144⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"144⤵
-
C:\Windows\SysWOW64\notepad.exenotepad145⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h145⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h145⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"145⤵
-
C:\Windows\SysWOW64\notepad.exenotepad146⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h146⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h146⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"146⤵
-
C:\Windows\SysWOW64\notepad.exenotepad147⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h147⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h147⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"147⤵
-
C:\Windows\SysWOW64\notepad.exenotepad148⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h148⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h148⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"148⤵
-
C:\Windows\SysWOW64\notepad.exenotepad149⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h149⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h149⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"149⤵
-
C:\Windows\SysWOW64\notepad.exenotepad150⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h150⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h150⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"150⤵
-
C:\Windows\SysWOW64\notepad.exenotepad151⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h151⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h151⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"151⤵
-
C:\Windows\SysWOW64\notepad.exenotepad152⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h152⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h152⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"152⤵
-
C:\Windows\SysWOW64\notepad.exenotepad153⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h153⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h153⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"153⤵
-
C:\Windows\SysWOW64\notepad.exenotepad154⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h154⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h154⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"154⤵
-
C:\Windows\SysWOW64\notepad.exenotepad155⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h155⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h155⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"155⤵
-
C:\Windows\SysWOW64\notepad.exenotepad156⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h156⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h156⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"156⤵
-
C:\Windows\SysWOW64\notepad.exenotepad157⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h157⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h157⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"157⤵
-
C:\Windows\SysWOW64\notepad.exenotepad158⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h158⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h158⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"158⤵
-
C:\Windows\SysWOW64\notepad.exenotepad159⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h159⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h159⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"159⤵
-
C:\Windows\SysWOW64\notepad.exenotepad160⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h160⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h160⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"160⤵
-
C:\Windows\SysWOW64\notepad.exenotepad161⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h161⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1162⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h161⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"161⤵
-
C:\Windows\SysWOW64\notepad.exenotepad162⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h162⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h162⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"162⤵
-
C:\Windows\SysWOW64\notepad.exenotepad163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h163⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"163⤵
-
C:\Windows\SysWOW64\notepad.exenotepad164⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h164⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h164⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"164⤵
-
C:\Windows\SysWOW64\notepad.exenotepad165⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h165⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h165⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"165⤵
-
C:\Windows\SysWOW64\notepad.exenotepad166⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h166⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h166⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"166⤵
-
C:\Windows\SysWOW64\notepad.exenotepad167⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h167⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h167⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"167⤵
-
C:\Windows\SysWOW64\notepad.exenotepad168⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h168⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h168⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"168⤵
-
C:\Windows\SysWOW64\notepad.exenotepad169⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h169⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h169⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"169⤵
-
C:\Windows\SysWOW64\notepad.exenotepad170⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h170⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h170⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"170⤵
-
C:\Windows\SysWOW64\notepad.exenotepad171⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h171⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h171⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"171⤵
-
C:\Windows\SysWOW64\notepad.exenotepad172⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h172⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h172⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"172⤵
-
C:\Windows\SysWOW64\notepad.exenotepad173⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h173⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h173⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"173⤵
-
C:\Windows\SysWOW64\notepad.exenotepad174⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h174⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h174⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"174⤵
-
C:\Windows\SysWOW64\notepad.exenotepad175⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h175⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h175⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"175⤵
-
C:\Windows\SysWOW64\notepad.exenotepad176⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h176⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h176⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"176⤵
-
C:\Windows\SysWOW64\notepad.exenotepad177⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h177⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h177⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"177⤵
-
C:\Windows\SysWOW64\notepad.exenotepad178⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h178⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h178⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"178⤵
-
C:\Windows\SysWOW64\notepad.exenotepad179⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h179⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h179⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"179⤵
-
C:\Windows\SysWOW64\notepad.exenotepad180⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h180⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h180⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"180⤵
-
C:\Windows\SysWOW64\notepad.exenotepad181⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h181⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h181⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"181⤵
-
C:\Windows\SysWOW64\notepad.exenotepad182⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h182⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h182⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"182⤵
-
C:\Windows\SysWOW64\notepad.exenotepad183⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h183⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h183⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"183⤵
-
C:\Windows\SysWOW64\notepad.exenotepad184⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h184⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h184⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"184⤵
-
C:\Windows\SysWOW64\notepad.exenotepad185⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h185⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h185⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"185⤵
-
C:\Windows\SysWOW64\notepad.exenotepad186⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h186⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h186⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"186⤵
-
C:\Windows\SysWOW64\notepad.exenotepad187⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h187⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h187⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"187⤵
-
C:\Windows\SysWOW64\notepad.exenotepad188⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h188⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h188⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"188⤵
-
C:\Windows\SysWOW64\notepad.exenotepad189⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h189⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h189⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"189⤵
-
C:\Windows\SysWOW64\notepad.exenotepad190⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h190⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h190⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"190⤵
-
C:\Windows\SysWOW64\notepad.exenotepad191⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h191⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h191⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"191⤵
-
C:\Windows\SysWOW64\notepad.exenotepad192⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h192⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h192⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"192⤵
-
C:\Windows\SysWOW64\notepad.exenotepad193⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h193⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h193⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"193⤵
-
C:\Windows\SysWOW64\notepad.exenotepad194⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h194⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h194⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"194⤵
-
C:\Windows\SysWOW64\notepad.exenotepad195⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h195⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h195⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"195⤵
-
C:\Windows\SysWOW64\notepad.exenotepad196⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h196⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h196⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"196⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe196⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe195⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe194⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe193⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe192⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe191⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe190⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe189⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe188⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe187⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe186⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10004 -s 76187⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe185⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe184⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe183⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe182⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe181⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe180⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe179⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe178⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 348179⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe177⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe176⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe175⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe174⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe173⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe172⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe171⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe170⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe169⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe168⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe167⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe166⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe165⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe164⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe163⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14232 -s 140164⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe162⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe161⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe160⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe159⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe158⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe157⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe156⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe155⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe154⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe153⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe152⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe151⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe150⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe149⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13664 -s 416150⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe148⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe147⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe146⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14012 -s 160147⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe145⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe144⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe143⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe142⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10412 -s 408143⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe141⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe140⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe139⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe138⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe137⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe136⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe135⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe134⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe133⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe132⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe131⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe130⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe129⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe128⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe127⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe126⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe125⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe124⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe123⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe122⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe121⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe120⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe119⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe118⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe117⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe116⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe115⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe114⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe113⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe112⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe111⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe110⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe109⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe108⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe107⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe106⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe105⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe104⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe103⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe102⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe101⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe100⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe99⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe98⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe97⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe96⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe95⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe94⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe93⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe92⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe91⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe90⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe89⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe88⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe87⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe86⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe85⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe84⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe83⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe82⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe81⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe80⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe79⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe78⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe77⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe76⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe75⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe74⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe73⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe72⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe71⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe70⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe69⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe68⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe67⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe66⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe65⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9676 -s 8066⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe64⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe63⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe62⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe61⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe60⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe59⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe58⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe57⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe56⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe55⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe54⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe53⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe52⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe51⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe50⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe49⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe48⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe47⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe46⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe45⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe44⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe43⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe42⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe41⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe40⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe39⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe38⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe37⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe36⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe35⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe34⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe33⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe32⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe31⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe30⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe29⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe28⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 7629⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe27⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe26⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe25⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe24⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe23⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe22⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe21⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe20⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe19⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe18⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 15218⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe16⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe15⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe14⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe13⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe12⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe11⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe10⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe9⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe8⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe7⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2816 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1696,13799022912743720587,17207550600288026034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5632 -ip 56322⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7248 -ip 72482⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 9676 -ip 96762⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 10412 -ip 104122⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 14012 -ip 140122⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 13664 -ip 136642⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 14232 -ip 142322⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4360 -ip 43602⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 10004 -ip 100042⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Hide Artifacts
2Hidden Files and Directories
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5971440ad5c12510159863eb89084f11b
SHA168d23f488de2cf460fc06bf8962dcb8df6c4701b
SHA256321712e07a5ddcae16d998db9432e1416e085cc6597172334302fcf68931edca
SHA51223a2e3f0f0c92ed7eaad1aafdb8dd624d4998c6f9d96379a97c8f319faf97492da4e69de78e4c4eb6ed730061712a59bbfe548da5cd92ea84b5165d96ab07e8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD575237b876e4ebf0cf587313ae92b7952
SHA1ef712d6b1e678d091b39cd593b8d4a2a5520f139
SHA256d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b
SHA5120c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5fb6c86626e3f50819b1d7becdffb1dd5
SHA146d217b4a91caa9210e516a6a405b8a0e8b3353c
SHA2560cf44f344353ad8e9564b63a97b93fae44767d004869110d0d76f52368ec6d21
SHA51263ef11abd411cac35bcb37d16bf049c887f4b804e34532dc0e29a1233dc03b3c86e4d19db0d99fc2a5467a4a2f0854a92f9f78adc00378d36bb3d7a8bf131198
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD592b8553e5d6dc256998f37fe715cc2e5
SHA1f5d27947a99a3414420c768de41f4d0951d0f5db
SHA2565430824c31c58eed89b82ed526df99fef1176ed0a65b2c65c0707e7e3389000f
SHA512f34858230a6444100b5ebe231ffd349773efbf8764019a991e22d80d04f731710b5188a4161afd6850a686dc9f4ded628fd8670e31046f433bc7ad2aec7e6f05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ccd52606bb63a0a06cb4dc1b412b65a0
SHA1f809bacb194a4f17818bfa84e1bb87b9f66e93d9
SHA25646e8a5340cae3db07e07c8bc9a43b0796c2155264a256c93178768c554df7a2c
SHA512e121bcfc15c9f17a01a9b2aa90a0a4cd3b0c1380c4090b55802986c97189e70cee86aa17fb1fd822b0a92d1473885e21282f6348bed68f6ad35ac229bfe1a77e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5acca5fa8b7d30cb25ff14c716b68dc5b
SHA10375ec45a504731b973774b70f6a34d273c63fc2
SHA256f77dbcff453d4773bb87f5d9538b75779ec81b862a5626fa34cacf5e933d3941
SHA512be981b2557c2f33b5476a00cdb37f84c6eeea6afd10d78455e52c5d084047a469a6c89566ac28e79bd9abcb40c58aed5cc2dca570fe96e5ddfef572c790c570d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD587e7e96a850f611871050254b9fe7c8a
SHA118e3be7fc114a051944c551d451097d54782e8e0
SHA2569b0924d4c7ce57440674c15ca4a3d0b6ce6886457838d45ec335f2b2c3bbcd8b
SHA512631f3bf80cd951c161f8b8beedd5aed7d5b1bbfe9065fd48c1451b362b12a3847bf8c4448f81e530f48d65dbfb2856fbafe6c120442d8aea23d0c760c0179fb6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e62684896a696e5fd6bbfb19d7baf15e
SHA11f5b45755d1bf453bdd0ecf30827183821820530
SHA25605523c211abb62a0168bd69f4eff2431f08eb49e3ef2af48868f5d3158ca7b53
SHA51280f7e2c5311a47e9164d69a8e2f98abeca896c751243a1cb6e3dc737c08531dfbfc309f7585700b1b6bf285fee86de67bfec3e71102e502b34502f155dc63fe8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579049.TMPFilesize
1KB
MD5e35ab24426b47b186a5483b081da495d
SHA1f11356999b3210487981ec23f710c78f89e6d94a
SHA25662057422c1115e8a33bffce59b0576618f25e4453c992025bbe6ed6fe126fb2c
SHA5128b09f7b3bc236195934ed5eb32eac693a25aefae892e1e1c113828c1217bfc08148fa3c7cfb1ca134c88af781f0ce4f3380070f2843e31e31264ae771658c26a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b3ce9d84c3d9d1e4b8740e52b9de16f1
SHA162c8e9f89d196e980abe79be57ffa2392ddcb4f4
SHA25630ce7ce3addc4efc85104911ee89185b765cb44e287b0f33e83dab9df803e750
SHA5127faec9ff1ceb1143f31e8ece6956f709d7c821c1ee39ec88df60d68148fbefe4672fbb8625e8fe6248a124211b76eb8bba05bb5d6dec7743f4cf12127d623663
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5426f3dbaf3e50183274addb22ed0c6ca
SHA11fee4d711ebdeb5c548d100bea33a98792ad882c
SHA256e922c97595d4bdc23b9f07d9d31609fe7c662c516146d51e01a188d5bd33c2cf
SHA5126c1ea4239bac932bf7317d194f7ac1ba6a20321f2979d6e15f66c8453d7cf9fbfb53adb58cf2b2962e43c7cfed6bf295127c37bb307a3f598ce37f89f24f3729
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58ed1ae3cb5897ff3950cf4debf3d19a8
SHA122ec23243651458a1af538a1284b1f3a5241ea46
SHA25679260cdceb8062e95bbf3004925fbe4ab250c5a9f25e1bb821db72633c080dd0
SHA51245b9a11c0d9b71f30312ddeb4cb50878f680437e33da01f10d4ab07c11fd5dde1e395e4539b221a131b9fc7e5a5cee1f37aa12a0c1065ff77bf731b251370e84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54a1d9ac93bb2687b89aaec3e032ec5ff
SHA191d47e62a34af94ad010bbe098317e00c7728029
SHA256d9ac5758c27bf44e88108012a15a7384519d1e31367e6d664b2c69252ddc24fe
SHA512e6576ddf1083cb4b7f1248ea5a05bb59df257ed69ee8257c7f35f27673c0ad90377e9674048ccca875a6da02e4216a7ade5889938fb9df16dee63f2f33319e35
-
C:\Users\Admin\Downloads\Unconfirmed 163342.crdownloadFilesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
C:\Users\Admin\Downloads\Unconfirmed 883486.crdownloadFilesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
\??\pipe\LOCAL\crashpad_1444_UTUQEDEAQNBJNWDNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/468-261-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/2148-298-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/4164-290-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5168-302-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5216-310-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5260-210-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5368-176-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/5388-306-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5420-230-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5444-269-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5600-294-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5644-216-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5656-208-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/5868-220-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5896-286-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/5984-265-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6064-282-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6092-224-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6276-315-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6496-319-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6708-323-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/6920-327-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/16304-995-0x0000000000020000-0x0000000000076000-memory.dmpFilesize
344KB
-
memory/16304-1000-0x00000000022D0000-0x00000000022D8000-memory.dmpFilesize
32KB
-
memory/16304-1003-0x0000000004E60000-0x0000000004E88000-memory.dmpFilesize
160KB
-
memory/16304-1002-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB
-
memory/16304-999-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/16304-996-0x00000000050F0000-0x0000000005694000-memory.dmpFilesize
5.6MB