darkcomet | 82c8702c12b5d967f4447c2a257435682e15a61be76128563b04956e800c8e24

Analysis

max time kernel
49s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Size

346KB
MD5

0975b9801f11cfcffe33e71abb517357
SHA1

e82081d4fba866c085ca353d4a225b9aa6f90647
SHA256

82c8702c12b5d967f4447c2a257435682e15a61be76128563b04956e800c8e24
SHA512

8e00da88db17a83c934fdeececd76b77d7a1e6b7a2cc00b2b45eb8a8754f4cd421cbf212983bf4975edeea22637236ea938857029f6887b2fde5701f61a2baec
SSDEEP

6144:9wT5O7pJmNB6dLY6dCnnsyZLHoaIyv6ocU/qxDS2xDWb3cC9YcRPlbL:9P+NULZdCn3TbncU2D7Ab3R

Score

10^/10

darkcomet z0mbý3 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Z0MBÝ3

mauss.no-ip.org:1604

Mutex

DC_MUTEX-VMMP0HM

Attributes

InstallPath
System32\explorer.exe
gencode
vP1F4l1wM86n
install
true
offline_keylogger
true
persistence
true
reg_key
explorer

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 35 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe,C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
3904	attrib.exe
4952	attrib.exe
7104	attrib.exe
6612	attrib.exe
2240	attrib.exe
3260	attrib.exe
4656	attrib.exe
4452	attrib.exe
4740	attrib.exe
5560	attrib.exe
6008	attrib.exe
1656	attrib.exe
4280	attrib.exe
5840	attrib.exe
5964	attrib.exe
6296	attrib.exe
6304	attrib.exe
2828	attrib.exe
3120	attrib.exe
3968	attrib.exe
3992	attrib.exe
6300	attrib.exe
6524	attrib.exe
2844	attrib.exe
2908	attrib.exe
4776	attrib.exe
6088	attrib.exe
6300	attrib.exe
5752	attrib.exe
3036	attrib.exe
624	attrib.exe
3716	attrib.exe
3920	attrib.exe
4284	attrib.exe
5244	attrib.exe
5932	attrib.exe
2076	attrib.exe
3088	attrib.exe
3932	attrib.exe
6512	attrib.exe
3392	attrib.exe
3572	attrib.exe
3620	attrib.exe
4464	attrib.exe
4620	attrib.exe
6140	attrib.exe
6880	attrib.exe
2528	attrib.exe
1708	attrib.exe
3952	attrib.exe
5008	attrib.exe
3984	attrib.exe
4116	attrib.exe
6124	attrib.exe
6880	attrib.exe
6740	attrib.exe
3940	attrib.exe
3120	attrib.exe
4840	attrib.exe
5092	attrib.exe
5472	attrib.exe
5600	attrib.exe
6816	attrib.exe
5088	attrib.exe

Executes dropped EXE 34 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2772	explorer.exe
360	explorer.exe
2812	explorer.exe
1776	explorer.exe
1252	explorer.exe
2572	explorer.exe
1744	explorer.exe
1912	explorer.exe
1704	explorer.exe
2812	explorer.exe
1844	explorer.exe
796	explorer.exe
572	explorer.exe
1376	explorer.exe
2460	explorer.exe
2528	explorer.exe
1496	explorer.exe
2200	explorer.exe
3024	explorer.exe
2676	explorer.exe
1708	explorer.exe
2064	explorer.exe
3120	explorer.exe
3324	explorer.exe
3540	explorer.exe
3756	explorer.exe
3964	explorer.exe
3076	explorer.exe
3316	explorer.exe
3644	explorer.exe
3808	explorer.exe
3160	explorer.exe
3600	explorer.exe
3992	explorer.exe

Loads dropped DLL 64 IoCs

Processes:

0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
2772	explorer.exe
2772	explorer.exe
360	explorer.exe
360	explorer.exe
2812	explorer.exe
2812	explorer.exe
1776	explorer.exe
1776	explorer.exe
1252	explorer.exe
1252	explorer.exe
2572	explorer.exe
2572	explorer.exe
1744	explorer.exe
1744	explorer.exe
1912	explorer.exe
1912	explorer.exe
1704	explorer.exe
1704	explorer.exe
2812	explorer.exe
2812	explorer.exe
1844	explorer.exe
1844	explorer.exe
796	explorer.exe
796	explorer.exe
572	explorer.exe
572	explorer.exe
1376	explorer.exe
1376	explorer.exe
2460	explorer.exe
2460	explorer.exe
2528	explorer.exe
2528	explorer.exe
1496	explorer.exe
1496	explorer.exe
2200	explorer.exe
2200	explorer.exe
3024	explorer.exe
3024	explorer.exe
2676	explorer.exe
2676	explorer.exe
1708	explorer.exe
1708	explorer.exe
2064	explorer.exe
2064	explorer.exe
3120	explorer.exe
3120	explorer.exe
3324	explorer.exe
3324	explorer.exe
3540	explorer.exe
3540	explorer.exe
3756	explorer.exe
3756	explorer.exe
3964	explorer.exe
3964	explorer.exe
3076	explorer.exe
3076	explorer.exe
3316	explorer.exe
3316	explorer.exe
3644	explorer.exe
3644	explorer.exe
3808	explorer.exe
3808	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2944-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	upx
behavioral1/memory/2944-14-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2772-25-0x00000000050A0000-0x0000000005186000-memory.dmp	upx
behavioral1/memory/2772-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/360-30-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2812-46-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/360-44-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1776-60-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2812-59-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1776-73-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1252-74-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1252-88-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2572-89-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1744-105-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2572-103-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1744-109-0x0000000004FA0000-0x0000000005086000-memory.dmp	upx
behavioral1/memory/1744-115-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1704-129-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1912-128-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1704-144-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1704-141-0x0000000004E60000-0x0000000004F46000-memory.dmp	upx
behavioral1/memory/2812-159-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1844-173-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/796-188-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/572-200-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1376-204-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1376-216-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2460-226-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2528-237-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2200-248-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1496-247-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2200-257-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3024-258-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3024-268-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1708-279-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2676-278-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1708-288-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2064-289-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/2064-297-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3120-300-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3324-312-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3120-310-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3324-320-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3540-323-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3540-336-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3756-334-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3756-346-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3964-354-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3076-356-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3076-367-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3316-377-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3644-387-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3808-388-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3160-401-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3808-398-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1020-472-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/3324-480-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/4116-488-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/4308-496-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/4500-504-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/4696-512-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/4896-520-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/5088-529-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\vP1F4l1wM86n\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\System32\\vP1F4l1wM86n\\explorer.exe"	explorer.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeexplorer.exeexplorer.exeexplorer.exeattrib.exeattrib.exeexplorer.exeattrib.exeexplorer.exeexplorer.exeattrib.exeexplorer.exeattrib.exeattrib.exeattrib.exeexplorer.exeexplorer.exeattrib.exeattrib.exeattrib.exeexplorer.exe0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exeattrib.exeattrib.exeexplorer.exeattrib.exeattrib.exeattrib.exeexplorer.exeattrib.exeexplorer.exeattrib.exeexplorer.exeattrib.exeattrib.exeattrib.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	attrib.exe
File created	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3124	PING.EXE
4692	PING.EXE
5772	PING.EXE
7112	PING.EXE
6396	PING.EXE
668	PING.EXE
4020	PING.EXE
5544	PING.EXE
6344	PING.EXE
6760	PING.EXE
2500	PING.EXE
3604	PING.EXE
3952	PING.EXE
2444	PING.EXE
1784	PING.EXE
3724	PING.EXE
5060	PING.EXE
6540	PING.EXE
6336	PING.EXE
2056	PING.EXE
3920	PING.EXE
3916	PING.EXE
5072	PING.EXE
5084	PING.EXE
6872	PING.EXE
1128	PING.EXE
3128	PING.EXE
5112	PING.EXE
5324	PING.EXE
5896	PING.EXE
6124	PING.EXE
6928	PING.EXE
2984	PING.EXE
3984	PING.EXE
3964	PING.EXE
5772	PING.EXE
6956	PING.EXE
264	PING.EXE
4264	PING.EXE
4664	PING.EXE
4516	PING.EXE
6728	PING.EXE
3512	PING.EXE
2676	PING.EXE
6120	PING.EXE
2180	PING.EXE
704	PING.EXE
3596	PING.EXE
3232	PING.EXE
4260	PING.EXE
5904	PING.EXE
2376	PING.EXE
3136	PING.EXE
4480	PING.EXE
2436	PING.EXE
5916	PING.EXE
1720	PING.EXE
1048	PING.EXE
948	PING.EXE
580	PING.EXE
2796	PING.EXE
3916	PING.EXE
5296	PING.EXE
6820	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeSecurityPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeRestorePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeShutdownPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeDebugPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeUndockPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: 33	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: 34	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: 35	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2772	explorer.exe
Token: SeSecurityPrivilege	2772	explorer.exe
Token: SeTakeOwnershipPrivilege	2772	explorer.exe
Token: SeLoadDriverPrivilege	2772	explorer.exe
Token: SeSystemProfilePrivilege	2772	explorer.exe
Token: SeSystemtimePrivilege	2772	explorer.exe
Token: SeProfSingleProcessPrivilege	2772	explorer.exe
Token: SeIncBasePriorityPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeBackupPrivilege	2772	explorer.exe
Token: SeRestorePrivilege	2772	explorer.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeDebugPrivilege	2772	explorer.exe
Token: SeSystemEnvironmentPrivilege	2772	explorer.exe
Token: SeChangeNotifyPrivilege	2772	explorer.exe
Token: SeRemoteShutdownPrivilege	2772	explorer.exe
Token: SeUndockPrivilege	2772	explorer.exe
Token: SeManageVolumePrivilege	2772	explorer.exe
Token: SeImpersonatePrivilege	2772	explorer.exe
Token: SeCreateGlobalPrivilege	2772	explorer.exe
Token: 33	2772	explorer.exe
Token: 34	2772	explorer.exe
Token: 35	2772	explorer.exe
Token: SeIncreaseQuotaPrivilege	360	explorer.exe
Token: SeSecurityPrivilege	360	explorer.exe
Token: SeTakeOwnershipPrivilege	360	explorer.exe
Token: SeLoadDriverPrivilege	360	explorer.exe
Token: SeSystemProfilePrivilege	360	explorer.exe
Token: SeSystemtimePrivilege	360	explorer.exe
Token: SeProfSingleProcessPrivilege	360	explorer.exe
Token: SeIncBasePriorityPrivilege	360	explorer.exe
Token: SeCreatePagefilePrivilege	360	explorer.exe
Token: SeBackupPrivilege	360	explorer.exe
Token: SeRestorePrivilege	360	explorer.exe
Token: SeShutdownPrivilege	360	explorer.exe
Token: SeDebugPrivilege	360	explorer.exe
Token: SeSystemEnvironmentPrivilege	360	explorer.exe
Token: SeChangeNotifyPrivilege	360	explorer.exe
Token: SeRemoteShutdownPrivilege	360	explorer.exe
Token: SeUndockPrivilege	360	explorer.exe
Token: SeManageVolumePrivilege	360	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

2772 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

2772 explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0975b9801f11cfcffe33e71abb517357_JaffaCakes118.execmd.execmd.execmd.exeexplorer.execmd.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 2944 wrote to memory of 2152	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2152	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2152	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2152	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2620	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2620	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2620	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2620	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2704	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2704	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2704	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2704	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	cmd.exe
PID 2152 wrote to memory of 2688	2152	cmd.exe	attrib.exe
PID 2152 wrote to memory of 2688	2152	cmd.exe	attrib.exe
PID 2152 wrote to memory of 2688	2152	cmd.exe	attrib.exe
PID 2152 wrote to memory of 2688	2152	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2648	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2648	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2648	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2648	2620	cmd.exe	attrib.exe
PID 2704 wrote to memory of 2500	2704	cmd.exe	PING.EXE
PID 2704 wrote to memory of 2500	2704	cmd.exe	PING.EXE
PID 2704 wrote to memory of 2500	2704	cmd.exe	PING.EXE
PID 2704 wrote to memory of 2500	2704	cmd.exe	PING.EXE
PID 2944 wrote to memory of 2772	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 2772	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 2772	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 2772	2944	0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe	explorer.exe
PID 2772 wrote to memory of 2164	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2164	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2164	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2164	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2392	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2392	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2392	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 2392	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 3044	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 3044	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 3044	2772	explorer.exe	cmd.exe
PID 2772 wrote to memory of 3044	2772	explorer.exe	cmd.exe
PID 2164 wrote to memory of 2472	2164	cmd.exe	attrib.exe
PID 2164 wrote to memory of 2472	2164	cmd.exe	attrib.exe
PID 2164 wrote to memory of 2472	2164	cmd.exe	attrib.exe
PID 2164 wrote to memory of 2472	2164	cmd.exe	attrib.exe
PID 2392 wrote to memory of 668	2392	cmd.exe	attrib.exe
PID 2392 wrote to memory of 668	2392	cmd.exe	attrib.exe
PID 2392 wrote to memory of 668	2392	cmd.exe	attrib.exe
PID 2392 wrote to memory of 668	2392	cmd.exe	attrib.exe
PID 3044 wrote to memory of 264	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 264	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 264	3044	cmd.exe	PING.EXE
PID 3044 wrote to memory of 264	3044	cmd.exe	PING.EXE
PID 2772 wrote to memory of 360	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 360	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 360	2772	explorer.exe	explorer.exe
PID 2772 wrote to memory of 360	2772	explorer.exe	explorer.exe
PID 360 wrote to memory of 2744	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2744	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2744	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2744	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2912	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2912	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2912	360	explorer.exe	cmd.exe
PID 360 wrote to memory of 2912	360	explorer.exe	cmd.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
6056	attrib.exe
6612	attrib.exe
668	attrib.exe
888	attrib.exe
2908	attrib.exe
3124	attrib.exe
4656	attrib.exe
4312	attrib.exe
4464	attrib.exe
928	attrib.exe
3480	attrib.exe
3144	attrib.exe
5052	attrib.exe
5024	attrib.exe
5300	attrib.exe
5752	attrib.exe
6296	attrib.exe
7004	attrib.exe
1504	attrib.exe
3272	attrib.exe
3344	attrib.exe
4128	attrib.exe
5096	attrib.exe
5244	attrib.exe
6740	attrib.exe
1556	attrib.exe
4424	attrib.exe
4776	attrib.exe
5560	attrib.exe
6504	attrib.exe
6596	attrib.exe
6756	attrib.exe
6816	attrib.exe
2972	attrib.exe
3088	attrib.exe
3940	attrib.exe
3984	attrib.exe
5600	attrib.exe
6580	attrib.exe
2748	attrib.exe
2000	attrib.exe
3952	attrib.exe
3620	attrib.exe
7088	attrib.exe
6512	attrib.exe
2776	attrib.exe
3968	attrib.exe
5304	attrib.exe
1956	attrib.exe
7104	attrib.exe
6300	attrib.exe
2240	attrib.exe
3260	attrib.exe
3984	attrib.exe
4496	attrib.exe
4624	attrib.exe
6140	attrib.exe
6300	attrib.exe
2828	attrib.exe
1708	attrib.exe
5968	attrib.exe
2740	attrib.exe
3492	attrib.exe
3788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe" +s +h
3⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:2500

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
4⤵
- Drops file in System32 directory
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
4⤵
- Views/modifies file attributes
PID:668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
4⤵
- Runs ping.exe
PID:264

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
4⤵
PID:2744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
5⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
4⤵
PID:2912

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
5⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
4⤵
PID:2532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
5⤵
- Runs ping.exe
PID:1128

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
5⤵
PID:2864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
6⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
5⤵
PID:1112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
6⤵
- Sets file to hidden
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
5⤵
PID:1540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
6⤵
- Runs ping.exe
PID:2180

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
6⤵
PID:2136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
7⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
6⤵
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
7⤵
- Drops file in System32 directory
PID:1340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
6⤵
PID:1932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
7⤵
- Runs ping.exe
PID:2056

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
7⤵
PID:1848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
8⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
7⤵
PID:272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
8⤵
- Views/modifies file attributes
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
7⤵
PID:1172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
8⤵
PID:1688

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
8⤵
PID:1240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
9⤵
- Drops file in System32 directory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
8⤵
PID:544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
9⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
8⤵
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
9⤵
- Runs ping.exe
PID:2444

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
9⤵
PID:2648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
10⤵
- Sets file to hidden
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
9⤵
PID:2920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
10⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
9⤵
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
10⤵
- Runs ping.exe
PID:2676

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
10⤵
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
11⤵
- Drops file in System32 directory
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
10⤵
PID:2848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
10⤵
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
11⤵
PID:1708

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
11⤵
PID:1952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
12⤵
- Sets file to hidden
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
11⤵
PID:2868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
12⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
11⤵
PID:688

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
12⤵
- Runs ping.exe
PID:2376

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
12⤵
PID:1660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
13⤵
- Drops file in System32 directory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
12⤵
PID:2552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
13⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
12⤵
PID:1044

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
13⤵
- Runs ping.exe
PID:704

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
13⤵
PID:684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
14⤵
- Views/modifies file attributes
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
13⤵
PID:828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
14⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
13⤵
PID:2988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
14⤵
PID:784

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
14⤵
PID:2384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
14⤵
PID:2964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
15⤵
- Drops file in System32 directory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
14⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
15⤵
- Runs ping.exe
PID:1048

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
15⤵
PID:1960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
16⤵
- Sets file to hidden
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
15⤵
PID:1916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
16⤵
- Views/modifies file attributes
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
15⤵
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
16⤵
- Runs ping.exe
PID:1784

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
16⤵
PID:2716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
17⤵
- Drops file in System32 directory
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
16⤵
PID:1776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
17⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
16⤵
PID:2968

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
17⤵
- Runs ping.exe
PID:1720

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
17⤵
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
18⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
17⤵
PID:2992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
18⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
17⤵
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
18⤵
- Runs ping.exe
PID:948

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
18⤵
PID:1160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
19⤵
- Drops file in System32 directory
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
18⤵
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
19⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
18⤵
PID:576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
19⤵
- Runs ping.exe
PID:580

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
19⤵
PID:2116

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
20⤵
- Drops file in System32 directory
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
19⤵
PID:1204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
20⤵
- Drops file in System32 directory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
19⤵
PID:2928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
20⤵
PID:1048

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
20⤵
PID:2260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
21⤵
- Sets file to hidden
- Drops file in System32 directory
PID:624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
20⤵
PID:704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
21⤵
- Sets file to hidden
- Drops file in System32 directory
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
20⤵
PID:1820

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
21⤵
- Runs ping.exe
PID:2796

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
21⤵
PID:2888

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
21⤵
PID:2492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
22⤵
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
21⤵
PID:2528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
22⤵
PID:1052

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
22⤵
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
23⤵
- Views/modifies file attributes
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
22⤵
PID:2584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
22⤵
PID:2240

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
23⤵
PID:2140

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
23⤵
PID:2308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
24⤵
- Views/modifies file attributes
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
23⤵
PID:2204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
24⤵
- Drops file in System32 directory
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
23⤵
PID:2060

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
24⤵
- Runs ping.exe
PID:2984

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
24⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
25⤵
- Drops file in System32 directory
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
24⤵
PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
25⤵
- Views/modifies file attributes
PID:2972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
24⤵
PID:948

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
25⤵
PID:3092

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
25⤵
PID:3196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
25⤵
PID:3204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
26⤵
- Views/modifies file attributes
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
25⤵
PID:3236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
26⤵
PID:3296

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
26⤵
PID:3400

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
27⤵
- Views/modifies file attributes
PID:3480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
26⤵
PID:3416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
27⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:3492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
26⤵
PID:3436

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
27⤵
- Runs ping.exe
PID:3512

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
27⤵
PID:3624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
28⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
27⤵
PID:3632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
28⤵
- Sets file to hidden
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
27⤵
PID:3648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
28⤵
- Runs ping.exe
PID:3724

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
28⤵
PID:3840

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
29⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
28⤵
PID:3848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
29⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
28⤵
PID:3864

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
29⤵
- Runs ping.exe
PID:3920

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
29⤵
PID:4036

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
30⤵
- Views/modifies file attributes
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
29⤵
PID:4052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
30⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
29⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
30⤵
- Runs ping.exe
PID:3128

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
30⤵
PID:3264

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
31⤵
- Sets file to hidden
- Drops file in System32 directory
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
30⤵
PID:3320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
31⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
30⤵
PID:3292

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
31⤵
- Runs ping.exe
PID:668

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
31⤵
PID:3104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
32⤵
- Sets file to hidden
PID:3572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
31⤵
PID:3536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
32⤵
- Sets file to hidden
PID:3392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
31⤵
PID:3552

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
32⤵
- Runs ping.exe
PID:3604

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
31⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
32⤵
PID:3612

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
33⤵
- Views/modifies file attributes
PID:3788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
32⤵
PID:3696

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
33⤵
- Sets file to hidden
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
32⤵
PID:3528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
33⤵
- Runs ping.exe
PID:3952

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
33⤵
PID:3732

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
34⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
33⤵
PID:3740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
34⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
33⤵
PID:3144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
34⤵
- Runs ping.exe
PID:4020

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
33⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
34⤵
PID:3148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
35⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
34⤵
PID:2908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
35⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
34⤵
PID:3256

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
35⤵
- Runs ping.exe
PID:3136

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:3600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
35⤵
PID:3820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
36⤵
- Drops file in System32 directory
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
35⤵
PID:1628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
36⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
35⤵
PID:3988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
36⤵
- Runs ping.exe
PID:3916

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
35⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
36⤵
PID:3192

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
37⤵
- Views/modifies file attributes
PID:3344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
36⤵
PID:3164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
37⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
36⤵
PID:4016

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
37⤵
PID:3932

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
36⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
37⤵
PID:3492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
38⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
37⤵
PID:3272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
38⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
37⤵
PID:3180

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
38⤵
- Runs ping.exe
PID:3596

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
37⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
38⤵
PID:3480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
39⤵
- Views/modifies file attributes
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
38⤵
PID:3296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
39⤵
- Views/modifies file attributes
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
38⤵
PID:1052

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
39⤵
PID:3304

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
38⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
39⤵
PID:3600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
40⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
39⤵
PID:2680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
40⤵
- Sets file to hidden
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
39⤵
PID:668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
40⤵
- Runs ping.exe
PID:3984

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
39⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
40⤵
PID:2984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
41⤵
- Sets file to hidden
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
40⤵
PID:3976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
41⤵
- Sets file to hidden
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
40⤵
PID:3756

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
41⤵
- Runs ping.exe
PID:3964

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
40⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
41⤵
PID:3940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
42⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
41⤵
PID:3572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
42⤵
- Sets file to hidden
PID:3920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
41⤵
PID:3152

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
42⤵
- Runs ping.exe
PID:3232

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
41⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
42⤵
PID:4180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
43⤵
- Sets file to hidden
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
42⤵
PID:4188

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
43⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
42⤵
PID:4204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
43⤵
- Runs ping.exe
PID:4264

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
42⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
43⤵
PID:4372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
44⤵
- Views/modifies file attributes
PID:4424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
43⤵
PID:4388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
44⤵
- Views/modifies file attributes
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
43⤵
PID:4404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
44⤵
PID:4472

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
43⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
44⤵
PID:4556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
45⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
44⤵
PID:4580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
45⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
44⤵
PID:4592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
45⤵
- Runs ping.exe
PID:4664

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
44⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
45⤵
PID:4764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
46⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
45⤵
PID:4780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
46⤵
- Sets file to hidden
PID:4840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
45⤵
PID:4792

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
46⤵
PID:4864

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
45⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
46⤵
PID:4960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
47⤵
- Sets file to hidden
PID:5008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
46⤵
PID:4976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
47⤵
- Views/modifies file attributes
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
46⤵
PID:5000

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
47⤵
- Runs ping.exe
PID:5060

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
46⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
47⤵
PID:4124

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
48⤵
- Views/modifies file attributes
PID:4128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
47⤵
PID:3396

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
48⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
47⤵
PID:3588

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
48⤵
- Runs ping.exe
PID:3916

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
47⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
48⤵
PID:4292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
49⤵
- Sets file to hidden
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
48⤵
PID:4340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
49⤵
- Views/modifies file attributes
PID:4496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
48⤵
PID:4352

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
49⤵
- Runs ping.exe
PID:4516

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
48⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
49⤵
PID:4704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
50⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
49⤵
PID:4564

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
50⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
49⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
50⤵
- Runs ping.exe
PID:4480

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
49⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
50⤵
PID:4684

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
51⤵
- Views/modifies file attributes
PID:5024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
50⤵
PID:4680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
51⤵
- Sets file to hidden
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
50⤵
PID:4944

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
51⤵
- Runs ping.exe
PID:2436

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
50⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
51⤵
PID:2008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
52⤵
- Sets file to hidden
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
51⤵
PID:4132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
52⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
51⤵
PID:4200

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
52⤵
- Runs ping.exe
PID:4260

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
51⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
52⤵
PID:1472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
53⤵
- Sets file to hidden
PID:4116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
52⤵
PID:2628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
53⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
52⤵
PID:2708

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
53⤵
PID:4460

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
52⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
53⤵
PID:4840

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
54⤵
- Views/modifies file attributes
PID:4312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
53⤵
PID:4728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
54⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
53⤵
PID:4920

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
54⤵
PID:4696

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
53⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
54⤵
PID:4908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
55⤵
- Sets file to hidden
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
54⤵
PID:4736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
55⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
54⤵
PID:1664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
55⤵
- Runs ping.exe
PID:3124

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
54⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
55⤵
PID:2604

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
56⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
55⤵
PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
56⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
55⤵
PID:4548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
56⤵
- Runs ping.exe
PID:4692

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
55⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
56⤵
PID:4932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
57⤵
- Sets file to hidden
PID:4280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
56⤵
PID:4520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
57⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
56⤵
PID:4344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
57⤵
- Runs ping.exe
PID:5072

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
56⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
57⤵
PID:4708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
58⤵
- Sets file to hidden
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
57⤵
PID:4168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
58⤵
- Views/modifies file attributes
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
57⤵
PID:4696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
58⤵
- Runs ping.exe
PID:5084

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
57⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
58⤵
PID:4160

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
59⤵
- Sets file to hidden
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
58⤵
PID:4832

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
59⤵
- Views/modifies file attributes
PID:4624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
58⤵
PID:4256

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
59⤵
PID:5096

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
58⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
59⤵
PID:4868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
60⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
59⤵
PID:4692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
60⤵
- Sets file to hidden
PID:4620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
59⤵
PID:4884

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
60⤵
PID:4544

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
59⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
60⤵
PID:3020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
61⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
60⤵
PID:4312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
61⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
60⤵
PID:5072

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
61⤵
- Runs ping.exe
PID:5112

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
60⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
61⤵
PID:5192

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
62⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
61⤵
PID:5216

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
62⤵
PID:5288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
61⤵
PID:5236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
62⤵
- Runs ping.exe
PID:5296

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
61⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
62⤵
PID:5392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
63⤵
- Sets file to hidden
PID:5472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
62⤵
PID:5408

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
63⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
62⤵
PID:5420

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
63⤵
PID:5484

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
62⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
63⤵
PID:5608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
64⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
63⤵
PID:5624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
64⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
63⤵
PID:5640

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
64⤵
PID:5696

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
63⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
64⤵
PID:5800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
65⤵
- Sets file to hidden
PID:5840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
64⤵
PID:5816

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
65⤵
PID:5896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
64⤵
PID:5832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
65⤵
- Runs ping.exe
PID:5904

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
64⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
65⤵
PID:5992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
66⤵
- Views/modifies file attributes
PID:6056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
65⤵
PID:6012

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
66⤵
- Sets file to hidden
PID:6088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
65⤵
PID:6032

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
66⤵
PID:6096

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
65⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
66⤵
PID:5124

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
67⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
66⤵
PID:5148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
67⤵
PID:5352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
66⤵
PID:5176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
67⤵
PID:5324

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
66⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
67⤵
PID:5496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
68⤵
- Views/modifies file attributes
PID:5304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
67⤵
PID:5048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
68⤵
- Views/modifies file attributes
PID:5300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
67⤵
PID:5320

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
68⤵
PID:5456

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
67⤵
PID:5568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
68⤵
PID:5576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
69⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
68⤵
PID:2440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
69⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
68⤵
PID:5588

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
69⤵
PID:1784

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
68⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
69⤵
PID:5872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
70⤵
- Sets file to hidden
PID:6008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
69⤵
PID:5736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
70⤵
PID:6136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
69⤵
PID:5960

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
70⤵
- Runs ping.exe
PID:6120

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
69⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
70⤵
PID:5256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
71⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
70⤵
PID:5200

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
71⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
70⤵
PID:5344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
71⤵
PID:5276

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
70⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
71⤵
PID:920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
72⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
71⤵
PID:844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
72⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
71⤵
PID:5580

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
72⤵
- Runs ping.exe
PID:5324

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
71⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
72⤵
PID:5512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
73⤵
PID:6028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
72⤵
PID:5892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
73⤵
- Sets file to hidden
PID:5932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
72⤵
PID:4328

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
73⤵
- Runs ping.exe
PID:5772

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
72⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
73⤵
PID:5304

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
74⤵
- Sets file to hidden
PID:5964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
73⤵
PID:5132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
74⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
73⤵
PID:4524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
74⤵
PID:5560

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
73⤵
PID:5280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
74⤵
PID:5484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
75⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
74⤵
PID:5504

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
75⤵
- Views/modifies file attributes
PID:5968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
74⤵
PID:5956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
75⤵
- Runs ping.exe
PID:5916

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
74⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
75⤵
PID:5964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
76⤵
- Sets file to hidden
PID:6124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
75⤵
PID:5764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
76⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
75⤵
PID:5380

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
76⤵
- Runs ping.exe
PID:5896

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
75⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
76⤵
PID:5656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
77⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
76⤵
PID:5620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
77⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
76⤵
PID:2564

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
77⤵
- Runs ping.exe
PID:6124

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
76⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
77⤵
PID:6072

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
78⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
77⤵
PID:5568

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
78⤵
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
77⤵
PID:5908

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
78⤵
- Runs ping.exe
PID:5772

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
77⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
78⤵
PID:2960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
79⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
78⤵
PID:5572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
79⤵
PID:5768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
78⤵
PID:5096

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
79⤵
- Runs ping.exe
PID:5544

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
78⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
79⤵
PID:6244

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
80⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
79⤵
PID:6260

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
80⤵
PID:6336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
79⤵
PID:6284

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
80⤵
- Runs ping.exe
PID:6344

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
79⤵
PID:6372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
80⤵
PID:6440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
81⤵
PID:6488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
80⤵
PID:6456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
81⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
80⤵
PID:6480

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
81⤵
- Runs ping.exe
PID:6540

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
80⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
81⤵
PID:6628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
82⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
81⤵
PID:6644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
82⤵
PID:6720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
81⤵
PID:6656

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
82⤵
- Runs ping.exe
PID:6728

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
81⤵
PID:6760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
82⤵
PID:6828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
83⤵
- Sets file to hidden
PID:6880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
82⤵
PID:6844

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
83⤵
PID:6908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
82⤵
PID:6860

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
83⤵
- Runs ping.exe
PID:6928

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
82⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
83⤵
PID:7020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
84⤵
- Views/modifies file attributes
PID:7088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
83⤵
PID:7028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
84⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
83⤵
PID:7056

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
84⤵
- Runs ping.exe
PID:7112

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
83⤵
PID:7144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
84⤵
PID:5716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
85⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
84⤵
PID:5896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
85⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
84⤵
PID:6192

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
85⤵
- Runs ping.exe
PID:6336

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
84⤵
PID:6236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
85⤵
PID:5168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
86⤵
PID:6404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
85⤵
PID:5544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
86⤵
- Sets file to hidden
PID:6524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
85⤵
PID:6532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
86⤵
PID:6588

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
85⤵
PID:6680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
86⤵
PID:6708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
87⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
86⤵
PID:6624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
87⤵
PID:6808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
86⤵
PID:6780

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
87⤵
- Runs ping.exe
PID:6872

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
86⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
87⤵
PID:6744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
88⤵
PID:7072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
87⤵
PID:6732

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
88⤵
- Views/modifies file attributes
PID:7004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
87⤵
PID:7088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
88⤵
- Runs ping.exe
PID:6956

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
87⤵
PID:5700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
88⤵
PID:6384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
89⤵
- Views/modifies file attributes
PID:6504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
88⤵
PID:6196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
89⤵
- Views/modifies file attributes
PID:6580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
88⤵
PID:6188

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
89⤵
PID:6392

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
88⤵
PID:6668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
89⤵
PID:6748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
90⤵
PID:6412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
89⤵
PID:6328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
90⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
89⤵
PID:6368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
90⤵
- Runs ping.exe
PID:6820

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
89⤵
PID:6816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
90⤵
PID:7000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
91⤵
PID:7156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
90⤵
PID:6892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
91⤵
- Sets file to hidden
PID:6304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
90⤵
PID:6872

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
91⤵
- Runs ping.exe
PID:6760

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
90⤵
PID:5540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
91⤵
PID:5276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
92⤵
- Views/modifies file attributes
PID:6596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
91⤵
PID:6176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
92⤵
- Sets file to hidden
PID:6880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
91⤵
PID:5768

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
92⤵
PID:6840

C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
91⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
92⤵
PID:6796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h
93⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
92⤵
PID:7156

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h
93⤵
- Views/modifies file attributes
PID:6756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"
92⤵
PID:6208

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
93⤵
PID:6792

C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"
92⤵
PID:6424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
93⤵
PID:6724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h
94⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
93⤵
PID:4268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h
94⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"
93⤵
PID:6504

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
94⤵
- Runs ping.exe
PID:6396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1219868113131276652161157233658761884-1109826050-1743069897776018711-973131222"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "139995114217929654751676206185-123182235911359282071501032760230184974-26677344"
1⤵
PID:1452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-937545190-915182227680500957592438033-4532210041041062849-187039428811065792"
1⤵
PID:796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1255471525140236968718937381862106289768-1007623939-1815543936-207560546412024509"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1603099653-543387415281859560-17176998331509276072027973000910251556908883153"
1⤵
PID:2000

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16029401221662482759-721063335-115552461912803605-1437466259-480946679-1016727679"
1⤵
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1026632082-705442210-423712105-1779128356-135564209410155790721719795846-1349181689"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12712349415234267946265090957988868527737811-6695096471588230662-1341209984"
1⤵
PID:3540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15306597381737912580-1327251835-73988955321870672-19244622421286816247-1651415117"
1⤵
PID:3724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "205761587815292295165082156401142743532-10756027911393328668-2085737968-263137915"
1⤵
PID:3788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-503577456591598617-1393094802421517455299983071422816738-1246060889-199587865"
1⤵
PID:3904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-798066416-17095123391768989104-1911167613144184371117286652541934730773-81527484"
1⤵
PID:2140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-293199048-4307466366479370932660417641342830058-2001098170-543184720704460167"
1⤵
PID:3808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2022262830-518378629-125569190-19535820101217301167-1560475593-19356353221591338012"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1886163975961642642731141980203643463-126290299020411373991650137480-1138918460"
1⤵
PID:3968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "41954455212712342181985349073461638591416949587104669057311583977261280579268"
1⤵
PID:3992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-703651459-688743415-6987499501624695598-196340776438708328-19144223521981144922"
1⤵
PID:3920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2003931014-1752553701-523362829-1863015549-1629347063-451650991291885567449624067"
1⤵
PID:3324

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe
Filesize
346KB

MD5
0975b9801f11cfcffe33e71abb517357

SHA1
e82081d4fba866c085ca353d4a225b9aa6f90647

SHA256
82c8702c12b5d967f4447c2a257435682e15a61be76128563b04956e800c8e24

SHA512
8e00da88db17a83c934fdeececd76b77d7a1e6b7a2cc00b2b45eb8a8754f4cd421cbf212983bf4975edeea22637236ea938857029f6887b2fde5701f61a2baec

Download Submit
memory/360-43-0x0000000003D70000-0x0000000003E56000-memory.dmp

Filesize
920KB

Download
memory/360-44-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/360-45-0x0000000003D70000-0x0000000003E56000-memory.dmp

Filesize
920KB

Download
memory/360-30-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/572-202-0x0000000004F80000-0x0000000005066000-memory.dmp

Filesize
920KB

Download
memory/572-200-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/572-201-0x0000000004F80000-0x0000000005066000-memory.dmp

Filesize
920KB

Download
memory/796-187-0x00000000050D0000-0x00000000051B6000-memory.dmp

Filesize
920KB

Download
memory/796-188-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1020-472-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1252-86-0x0000000004F70000-0x0000000005056000-memory.dmp

Filesize
920KB

Download
memory/1252-74-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1252-88-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1376-215-0x0000000005120000-0x0000000005206000-memory.dmp

Filesize
920KB

Download
memory/1376-216-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1376-204-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1496-242-0x0000000005050000-0x0000000005136000-memory.dmp

Filesize
920KB

Download
memory/1496-247-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1704-129-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1704-141-0x0000000004E60000-0x0000000004F46000-memory.dmp

Filesize
920KB

Download
memory/1704-142-0x0000000004E60000-0x0000000004F46000-memory.dmp

Filesize
920KB

Download
memory/1704-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1708-288-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1708-279-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1744-112-0x00000000778E0000-0x00000000779DA000-memory.dmp

Filesize
1000KB

Download
memory/1744-111-0x00000000777C0000-0x00000000778DF000-memory.dmp

Filesize
1.1MB

Download
memory/1744-115-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1744-113-0x0000000004FA0000-0x0000000005086000-memory.dmp

Filesize
920KB

Download
memory/1744-109-0x0000000004FA0000-0x0000000005086000-memory.dmp

Filesize
920KB

Download
memory/1744-105-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1776-73-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1776-60-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1844-173-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1844-172-0x0000000005020000-0x0000000005106000-memory.dmp

Filesize
920KB

Download
memory/1844-174-0x0000000005020000-0x0000000005106000-memory.dmp

Filesize
920KB

Download
memory/1912-126-0x0000000003BC0000-0x0000000003CA6000-memory.dmp

Filesize
920KB

Download
memory/1912-128-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2064-289-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2064-299-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/2064-297-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2064-298-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/2200-257-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2200-248-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2460-226-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2460-225-0x0000000003B20000-0x0000000003C06000-memory.dmp

Filesize
920KB

Download
memory/2528-235-0x0000000003C10000-0x0000000003CF6000-memory.dmp

Filesize
920KB

Download
memory/2528-237-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2528-236-0x0000000003C10000-0x0000000003CF6000-memory.dmp

Filesize
920KB

Download
memory/2572-89-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2572-102-0x0000000004E90000-0x0000000004F76000-memory.dmp

Filesize
920KB

Download
memory/2572-103-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2676-278-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2772-25-0x00000000050A0000-0x0000000005186000-memory.dmp

Filesize
920KB

Download
memory/2772-26-0x00000000050A0000-0x0000000005186000-memory.dmp

Filesize
920KB

Download
memory/2772-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2812-159-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2812-59-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2812-155-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/2812-157-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/2812-46-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2944-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2944-14-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2944-11-0x0000000003CE0000-0x0000000003DC6000-memory.dmp

Filesize
920KB

Download
memory/2944-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3024-268-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3024-267-0x0000000003C00000-0x0000000003CE6000-memory.dmp

Filesize
920KB

Download
memory/3024-258-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3024-269-0x0000000003C00000-0x0000000003CE6000-memory.dmp

Filesize
920KB

Download
memory/3024-324-0x0000000003C00000-0x0000000003CE6000-memory.dmp

Filesize
920KB

Download
memory/3076-366-0x0000000004FD0000-0x00000000050B6000-memory.dmp

Filesize
920KB

Download
memory/3076-367-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3076-409-0x0000000004FD0000-0x00000000050B6000-memory.dmp

Filesize
920KB

Download
memory/3076-364-0x0000000004FD0000-0x00000000050B6000-memory.dmp

Filesize
920KB

Download
memory/3076-356-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3120-309-0x0000000003BD0000-0x0000000003CB6000-memory.dmp

Filesize
920KB

Download
memory/3120-311-0x0000000003BD0000-0x0000000003CB6000-memory.dmp

Filesize
920KB

Download
memory/3120-310-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3120-300-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3160-411-0x0000000003BC0000-0x0000000003CA6000-memory.dmp

Filesize
920KB

Download
memory/3160-401-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3160-412-0x0000000003BC0000-0x0000000003CA6000-memory.dmp

Filesize
920KB

Download
memory/3316-376-0x0000000003BA0000-0x0000000003C86000-memory.dmp

Filesize
920KB

Download
memory/3316-378-0x0000000003BA0000-0x0000000003C86000-memory.dmp

Filesize
920KB

Download
memory/3316-377-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3324-320-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3324-480-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3324-321-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/3324-322-0x0000000004F60000-0x0000000005046000-memory.dmp

Filesize
920KB

Download
memory/3324-312-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3540-333-0x00000000050E0000-0x00000000051C6000-memory.dmp

Filesize
920KB

Download
memory/3540-336-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3540-332-0x00000000050E0000-0x00000000051C6000-memory.dmp

Filesize
920KB

Download
memory/3540-323-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3644-387-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3756-346-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3756-345-0x0000000005000000-0x00000000050E6000-memory.dmp

Filesize
920KB

Download
memory/3756-334-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3808-399-0x0000000004FF0000-0x00000000050D6000-memory.dmp

Filesize
920KB

Download
memory/3808-398-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3808-388-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3808-397-0x0000000004FF0000-0x00000000050D6000-memory.dmp

Filesize
920KB

Download
memory/3964-400-0x0000000004FF0000-0x00000000050D6000-memory.dmp

Filesize
920KB

Download
memory/3964-355-0x0000000004FF0000-0x00000000050D6000-memory.dmp

Filesize
920KB

Download
memory/3964-354-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4116-488-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4256-601-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4284-537-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4284-633-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4308-496-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4500-504-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4524-625-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4528-545-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4544-617-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4576-577-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4696-512-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4736-553-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4896-520-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4904-585-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4948-561-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5068-609-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5076-569-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5084-593-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5088-529-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5128-641-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5328-649-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5524-657-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads