Analysis
-
max time kernel
45s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-06-2024 21:30
General
-
Target
0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe
-
Size
346KB
-
MD5
0975b9801f11cfcffe33e71abb517357
-
SHA1
e82081d4fba866c085ca353d4a225b9aa6f90647
-
SHA256
82c8702c12b5d967f4447c2a257435682e15a61be76128563b04956e800c8e24
-
SHA512
8e00da88db17a83c934fdeececd76b77d7a1e6b7a2cc00b2b45eb8a8754f4cd421cbf212983bf4975edeea22637236ea938857029f6887b2fde5701f61a2baec
-
SSDEEP
6144:9wT5O7pJmNB6dLY6dCnnsyZLHoaIyv6ocU/qxDS2xDWb3cC9YcRPlbL:9P+NULZdCn3TbncU2D7Ab3R
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Z0MBÝ3
C2
mauss.no-ip.org:1604
Mutex
DC_MUTEX-VMMP0HM
Attributes
-
InstallPath
System32\explorer.exe
-
gencode
vP1F4l1wM86n
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explorer
Extracted
Family
darkcomet
Attributes
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe" +s +h3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\0975b9801f11cfcffe33e71abb517357_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 45⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h6⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 46⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 47⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h8⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 48⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h9⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 49⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h10⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 410⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h11⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h11⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 411⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h12⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 412⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h13⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"12⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 413⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h14⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h14⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 414⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h15⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"14⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 415⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h16⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h16⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 416⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h17⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h17⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 417⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h18⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h18⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"17⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 418⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h19⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h19⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"18⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 419⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h20⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 420⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h21⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"20⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 421⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h22⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"21⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 422⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h23⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"22⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 423⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h24⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h24⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"23⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 424⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h25⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"24⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 425⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h26⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h26⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 426⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h27⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h27⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"26⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 427⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h28⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h28⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"27⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 428⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h29⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h29⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"28⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 429⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h30⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h30⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"29⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 430⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h31⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h30⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h31⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"30⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 431⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h32⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h32⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 432⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h33⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h33⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"32⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 433⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h34⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h34⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"33⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 434⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h35⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h35⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"34⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 435⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h35⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"35⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 436⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h37⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h37⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"36⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 437⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h38⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 438⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"37⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h39⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h39⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"38⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 439⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"38⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h39⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV140⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h40⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h39⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV140⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h40⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"39⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 440⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h41⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h41⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"40⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 441⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h42⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h42⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"41⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 442⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h42⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h43⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h43⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"42⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h44⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h44⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"43⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 444⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"43⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h45⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h45⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"44⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 445⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h46⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h46⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"45⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 446⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h47⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h47⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"46⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 447⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h48⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h48⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"47⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 448⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h49⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h49⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"48⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 449⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h50⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h50⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"49⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 450⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"49⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h50⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h51⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h51⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"50⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 451⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"50⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h52⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h51⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV152⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h52⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"51⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 452⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h53⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h53⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"52⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 453⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h54⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h53⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV154⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h54⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"53⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 454⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"53⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h54⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h55⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h55⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"54⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 455⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h55⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV156⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h56⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h56⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"55⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV156⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 456⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"55⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h57⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h57⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"56⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 457⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"56⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h58⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h58⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"57⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 458⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h59⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h59⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"58⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 459⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h60⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h60⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"59⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 460⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h61⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h61⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"60⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 461⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h62⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h62⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"61⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 462⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h62⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h63⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h63⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"62⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 463⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"62⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h64⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h64⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"63⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 464⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"63⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h65⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h65⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"64⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 465⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h66⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h66⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 466⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"65⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h67⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h67⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"66⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 467⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"66⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h68⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h68⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"67⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 468⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"67⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h69⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h69⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"68⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 469⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"68⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h70⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h70⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"69⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 470⤵
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h71⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h71⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"70⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 471⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"70⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h72⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h72⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"71⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 472⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"71⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h73⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h73⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"72⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 473⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"72⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h74⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h74⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"73⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 474⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"73⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe" +s +h75⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h74⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n" +s +h75⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\vP1F4l1wM86n\explorer.exe"74⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 475⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"C:\Windows\System32\vP1F4l1wM86n\explorer.exe"74⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe" +s +h76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\vP1F4l1wM86n" +s +h76⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exe"75⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV176⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 476⤵
- Runs ping.exe
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e481c46d8d771964f4131abbb2b2083e pZGRZqlxcUaqjnXG2cPlkw.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vP1F4l1wM86n\explorer.exeFilesize
346KB
MD50975b9801f11cfcffe33e71abb517357
SHA1e82081d4fba866c085ca353d4a225b9aa6f90647
SHA25682c8702c12b5d967f4447c2a257435682e15a61be76128563b04956e800c8e24
SHA5128e00da88db17a83c934fdeececd76b77d7a1e6b7a2cc00b2b45eb8a8754f4cd421cbf212983bf4975edeea22637236ea938857029f6887b2fde5701f61a2baec
-
memory/620-437-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/620-375-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1524-996-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1964-749-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1968-3966-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1968-4027-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2652-501-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2652-563-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2668-312-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2668-374-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2948-0-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2948-63-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2948-1-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/3144-187-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3144-126-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3288-625-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3620-687-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3672-249-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4104-311-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4704-125-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5036-500-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5036-438-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5196-1675-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5196-1615-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5232-934-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5304-1246-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5360-1736-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5360-1676-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5368-810-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5556-1059-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5556-997-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5588-1308-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5600-1122-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5600-1184-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5844-872-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5872-1121-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6304-1493-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6304-1433-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6364-1977-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6368-1370-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-1555-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-1614-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-2523-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-2463-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-2098-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6544-2039-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6884-1371-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6884-1432-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6888-2645-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6888-2585-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6900-1494-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/6900-1554-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7076-2341-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7076-1737-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7076-1796-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7360-1856-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7364-2280-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7364-2340-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7776-2584-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7776-2524-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7808-2038-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7808-1978-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7832-1917-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7832-1857-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/7868-2218-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8040-2824-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8084-2158-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8120-2279-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8120-2219-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8364-2402-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8364-2342-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8636-3665-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8636-3604-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8844-2401-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/8844-2462-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9096-3004-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9096-2944-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9108-2765-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9108-2705-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9180-2704-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9332-3124-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9360-2884-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9688-3304-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9728-3064-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/9824-2945-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10052-3725-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10116-3846-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10136-3426-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10136-3486-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10136-3244-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10152-3184-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10152-3125-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10260-3967-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10432-3364-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10448-3906-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10472-3606-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10748-3545-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10912-3365-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/10912-3425-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11104-3786-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11104-3726-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11348-4149-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11348-4209-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11484-4087-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11948-4269-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11960-4088-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/11960-4148-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB