Resubmissions
17-09-2024 16:20
240917-ttcpasscrd 417-09-2024 16:08
240917-tlmjja1hrf 617-09-2024 16:03
240917-the1aa1gnc 1017-09-2024 15:53
240917-tbyh2s1fpm 817-09-2024 15:46
240917-s738qs1dqn 1016-09-2024 16:27
240916-tx94zaxgjm 316-09-2024 16:00
240916-tfqc8swerd 1016-09-2024 15:57
240916-td4svawflr 629-08-2024 23:57
240829-3zs3xazamm 3Analysis
-
max time kernel
113s -
max time network
343s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17-09-2024 15:46
General
-
Target
https://valkyrieofficial.vercel.app/
Score
10/10
Malware Config
Extracted
Family
crimsonrat
C2
185.136.161.124
Signatures
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Modifies file permissions 1 TTPs 62 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 64 IoCs
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 16 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 7 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://valkyrieofficial.vercel.app/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2e0146f8,0x7ffd2e014708,0x7ffd2e0147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7132 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
- Sets file to hidden
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
- Adds Run key to start application
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV150⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵
- Sets file to hidden
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV152⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV158⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV162⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV168⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe95⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe94⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe93⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe92⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe91⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe90⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe89⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15592 -s 14890⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe88⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe87⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe86⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe85⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe84⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe83⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15068 -s 34884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe82⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe81⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe80⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe79⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe78⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe77⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe76⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe75⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe74⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe73⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe72⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe71⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe70⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe69⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe68⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe67⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe66⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe65⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe64⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe63⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe62⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe61⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe60⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe59⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe58⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe57⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe56⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe55⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe54⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe53⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe52⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe51⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe50⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10468 -s 12451⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe49⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe48⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe47⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe46⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe45⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe44⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe43⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe42⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe41⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe40⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe39⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe38⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe37⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe36⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe35⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe34⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe33⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe32⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe31⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe30⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe29⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe28⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe27⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe26⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe25⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe24⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe23⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe22⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe21⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe20⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe18⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe17⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe16⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe15⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe14⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe13⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe12⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe11⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe10⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe9⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe8⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV122⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 6823⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵
- Sets file to hidden
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9168 -s 41638⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV144⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵
- Drops file in System32 directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV168⤵
-
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13848 -s 15673⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵
- Views/modifies file attributes
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵
- Sets file to hidden
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h97⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe96⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe95⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe94⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16412 -s 8095⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe93⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe92⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe91⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe90⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe89⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe88⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe87⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe86⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe85⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe84⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe83⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe82⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe81⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe80⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe79⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe78⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe77⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe76⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe75⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe74⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe73⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe72⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe71⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe70⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe69⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe68⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe67⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe66⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe65⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe64⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe63⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe62⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe61⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe60⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe59⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe58⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe57⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe56⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe55⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe54⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe53⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10648 -s 6854⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe52⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe51⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe50⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe49⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe48⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe47⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe46⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe45⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe44⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe43⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe42⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe41⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe40⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe39⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe38⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe37⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe36⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe35⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe34⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe33⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe32⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe31⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe30⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe29⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe28⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe27⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe26⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe25⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe24⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe23⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe22⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe21⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe20⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe18⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe17⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe16⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe15⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe14⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe13⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe12⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe11⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe10⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe9⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe8⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 728⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7020 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,4288484039410516206,6703452681954545986,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 37602⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7352 -ip 73522⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9168 -ip 91682⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 10468 -ip 104682⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 10648 -ip 106482⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 13848 -ip 138482⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 15068 -ip 150682⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 15592 -ip 155922⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 16412 -ip 164122⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
3.7MB
MD5591c4c2fe8f784987a7a5c0859340d13
SHA15df03247696f65e1707e93d9f75141a173941da7
SHA2562617fc57e0c578d451511506a3d4dd0059ff4860228c1b4944b5db55d2456f4d
SHA512bfd5aa7d4357024cd2e023b53fff8bb9c1f52324eaddb24937fbea1eb1eededeb650a22fd517b663096097922326159bd487117b07a191f3ec06abcb8a627429
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
70KB
MD54308671e9d218f479c8810d2c04ea6c6
SHA1dd3686818bc62f93c6ab0190ed611031f97fdfcf
SHA2565addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a
SHA5125936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2
-
Filesize
41KB
MD558756d99d2376dcfbede6057dd25a745
SHA176f81b96664cd8863210bb03cc75012eaae96320
SHA256f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa
SHA512476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.3MB
MD5a308d42822b1bcc72e63270f012430a1
SHA139120041244fea9d757d253232fd14835e70c555
SHA256e7958fa25cceb843a031a4d8744515180b4aceeb2db00f42e9c0c78cf1991a11
SHA512fb9825a6febb7b54d2bb6bd21c02cd1eec103cc44cc525eebabdebbb726c241d223b734e751669f18f5762f6418917cd892850e4d99222f5998027a144ffb366
-
Filesize
73KB
MD537e887b7a048ddb9013c8d2a26d5b740
SHA1713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA25624c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA51299f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af
-
Filesize
4KB
MD5cb60c2df6c53785e9b012560a6dd4204
SHA13c9f3866c3970e3e54287c9708dc6f99835885ba
SHA2566cee876be736779a7162c1fa2b495cdd9b5614b2f62b6cb1876c5360d10ef04c
SHA512eb3bfd424b627351a7abeb08e6a239a86e83fafb0f45065b1ea2272f12308b4b761fbc8f3ce8989e150f65861ad9fc3186da60003b621b59b0a5eb6f81615c0e
-
Filesize
96B
MD527b41b38997ffd6f0fbddd3084e24833
SHA1ce18d3b47730d3f057e83730a18fb2894304a57e
SHA256e82458e8ec1533f5b9f553ca1c88728a98f6bd969fa4224dba4750ebe578a54e
SHA5124e2af3e0dba718accde7e9b661b977581ed4b9d4a83e76128c77d5c53e2c2022cfaebe4ef130ae29884cdbd3a5a66a642d0255469bba81e2085fbf20e157e29d
-
Filesize
1KB
MD53fd96ef10e5ec9737385320f8457c6d8
SHA1c57d8db6964282da1282a2d78f22e19a48225631
SHA256f7e5b08fa5b62737901f35853a59885ab7dffb8fa79d8b7fccabe644234e5aa7
SHA512dd1f3aab880c9550145a6bb4861f6c828e406906ffe32bf0dc5403ba7bc2be62a4bff775b00c39d560cf2c1a05c1c9834628969e4e1d146c36890dd71df13bd6
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5589992c457bc8c64d33bfe62de4e22fc
SHA188375313e6f3d6ecab56887abc8c18586fa9ee1b
SHA256dd24a8b34ff6b6e4248711f3c483a31ebf0681d8c93f265041b457e1645971b7
SHA512364c5f0d5ad19c055c1dfbf5994bba0ca20ee7597e695f3c286f6ad353bdbbf899a389309a3b400d495bdf9c5661f1374253e756337cedabb81be376384677c0
-
Filesize
7KB
MD51c421a198ef1bcc9709c679c907fd98d
SHA113c4f353533795f00a44ac8e820aef881908761e
SHA256c3324077b80205d66d3a447266f705472c8f15c3d2be8600c5578f327ff878d7
SHA512c132b63e91b1782a247fa03f191f2e1bfbca1c3b179dbe31193e6da4e817531fc7152822579a114342af5248d363a9e0f336e0adc0908b50d30be480bfc1a23b
-
Filesize
7KB
MD5c211a2088167a7eb62193a8ca085a93a
SHA1a5d23bf192e236487d42016a2f72741008cebc7c
SHA2564e119e6df5c425cf8be88e0121678dac25f5d3f58aac7e5a9b07298c43e76bd4
SHA5128105cc2fa05c523f0e50bcb43af76be1dcb0090784c6e04cc7acbd23be7d61cb5910ea2ca802bad98c54e2bd4c6f65c36a133e3b1c3f65214403f41c1c93a690
-
Filesize
5KB
MD5de2579972257c58869da3db064b98db4
SHA16a782915c2d895c82e182acf5715cb5fae4bb6ba
SHA2560b006baefac4d2ce71a5cc359118a437478f5688d469c9c5500f61182138e92c
SHA5126dd2f7e100887ecb86e954d7cc4fe25a9d8f2e737e32d5831594620b6a616f922133bd0c81348da7a539414fa08b514a48691871cb2e9e7115285b12557bbab3
-
Filesize
7KB
MD56dd30de005c63c4f96eec87a1e68cf22
SHA1daf37e7bce1ea579b93c7f21ce1db9a8533cb854
SHA2562f9dc09f95624e57eb0debd2ed91926140e62d3accbd8379fd5e15e4043013f0
SHA5123e63f11b63f6394daefaf59840615811ac0824389a6e682e262dda3bb9085314f066c413e8e26516b0e2825e6592f61cf3f94b5f0c632dd199c2b6b1ced882de
-
Filesize
7KB
MD5778ea357710b8251f6b63dbf3302dab6
SHA1eba2e740dacef0f1e6f50c0ec363649a2fa10784
SHA25676fc1e948cfbf02a756e49a4dbe0e60dbc2b8bafaf947bd98b33b36f8a332b83
SHA5124395722d086f83f46a7c8f3461d2fca7a95f1169d5ea8d7a38c102476bef76fb44aec90caa31a72675ad4029e18187393c0fbe7acc6e5a3ceee98e6bffa988f1
-
Filesize
6KB
MD5e81b7e74b13328bdc63c643f797abfdd
SHA1e3cea2f0768375b22c710fbfd92fff21c387b88b
SHA256cab840e678a21f4e0fb1b8530a3ea55e42e45a4faeb78a51b0cce36156bdf338
SHA512f2cb5e1ec538bb4476063add18f6b13319e8d55c69ea2f91ba590966227dfea39d13d50416642fdc03a0201efa5155e774dcf4fa9da5ba3e1a425218ba87dba6
-
Filesize
8KB
MD523afa708abf647fabe6450b47f6a615e
SHA181b6723b59b83c846bff2ca2c38168a97431b02b
SHA256ca5fd28cddde275bc643ebb3fc3064b44d4ebf488e13ac56720cc34f38c39c11
SHA512265cf0098af289500e451ad58cf2b468b5fb567446997155673997ea60c08d03eb229282e7a2de49b42e77019f297189219ff2b81c75f419a0bb2a733dc63466
-
Filesize
1KB
MD53663aae871bd1a1c190693e23802d8ee
SHA1b68213e59c655621fac7310aa907840574751b14
SHA256b77488f7b0f5fef54ca94ccb05ac12aeaede2781f0ddc51b2b0f0b7c9b56eb44
SHA5126484467429337090bc2bb862505e78e35941c2c3307b7b15f63b9188ff12199c28498479bf3980083284bfd0348c14324fb3444ab8153c501bb6876f3e67867c
-
Filesize
1KB
MD5e0162e3a666605fe4d1cafc411a0b087
SHA1520df1090f9e9682a121955ea53b1a33842f2b13
SHA256a088e7c40433823fb882d0f203ef9e1f60ef8735dddf715d8f433b5628e8841f
SHA51248f9d4c6c99bb6fdd8644064ee57122bd2ed6a9c4ef1a11e514eb8b880395de80f8b14f93d552937722933bc095ead27cedeb25f3d1d949ed00dfd2787604280
-
Filesize
1KB
MD5b8fbe3a8ae6d5442c0e9dc194ae1509a
SHA152d6bc76297c5b325268fdde56e4eeef38ee3b51
SHA2560d941990d9e997b5601f4f80bc1916a46eb1711ff199febbed36db8cc25a8320
SHA51212e022766591b98e06d032542163a60771f7819ca36736c1bd016e8391379bc77e8e2bb49b7f7df0350f787ffa1baf312d12d46d8981a213537f085e665a9d56
-
Filesize
1KB
MD5c0fce85887361aaee27a37dd0d2e09d0
SHA1958b21313a23c2931d7d40112189e23ed0f77733
SHA2568d9f6119afb4295fa2186808026421e30da3151f7f057ec50d28e764da835253
SHA512571268a2466c7ced7cc925f48c9ec660ac9fe5fbf2f4b476bd0f4dc3096f4a7abc75ec73864dca1c7537fff764c189cafdbd2de69d17989970a25521e3176430
-
Filesize
2KB
MD5b8f905de54982341a0765aee3428449a
SHA1a407f1456a8417a2c4d480188b489c76e14a542d
SHA256f5602cd59e4741d067b7096af651dd1a1f153d556d70dc09a0a5e886bdad62d2
SHA512f400e7c3e91c594209df3e0cba85215bb061cea2dd0a1bb1f7c4ce44d56ebec3c721ba57fddf4ea21a932843e7ec375068d1785017254d168ef6f55c84a5b25f
-
Filesize
1KB
MD50fe62610a197d0c70028f2cda5f438d4
SHA1e7a63f8f42756259efedb2892338be1f98e75fd3
SHA256f81059e3fd204e9477b1dd9c9395a294250a60bae7c55a8e9ea3bff63c6b08a3
SHA5123199b7e67bc1344f323baae1c478588ab5c04fc4168cb8ca0c42acb7b4450f5031da892f0319a841b6ce6946c99f605f97f65a0d5e015498333e4669c44c47e4
-
Filesize
1KB
MD53376a08882a78917bfd9be77c04a2ca1
SHA10ce1a6fdb4eb31e3f7c26059feb32a31c1745bc6
SHA25617b4f603ffa5c2ff9778c14a6e967fa7d60590d9e473e61c3c53d3c298f83627
SHA512acac0509fc81c07e1d0d0d09eec1bebd9474609279d5952fb5d6b730e63f112c175855f389a54ad57c422b9496af1e399c13a520eba6cf196c4b8842c78d7c79
-
Filesize
1KB
MD58f624876a796c5e08da895845be8107c
SHA130bb164ea9696e1e017d33a0ce588be2761a4338
SHA25685f8597cc473288aaa36f41f595f9726f99a98550f2cb6f4fd37eaec7e6799ce
SHA512748bcbbe87f8a6ab0097875ead704be61f28ccbaa6b214d4a7e957d2f9fb16593278413024e2191ddd6929f6226bf56dbaf91157833d73c6cfe848cacf56075f
-
Filesize
1KB
MD5ada985766adbb4d6621011dd27b04149
SHA10df65328444b3d8239aad561f03fcf194547bf9c
SHA2566f4269d5c37e6fe9a2e22bbac1ce434fc9c9ac97aed4aa5fcaa455bf9d860814
SHA512e1d9723970829169a973365a511508848a029353e7e967ddb48b2b8763a3fb924bf0e7d0c8ad495e360f993027bd191958ddfd51b8059f84e1a943cc57f14763
-
Filesize
1KB
MD52942d51ec4fb2904469d386a3308df33
SHA19780945c9ea2da83955848e5c908447f250efe59
SHA2561484bb41502995da3acb53b058d56e1e7e892c9b204bafcb26a2f191f0e21f78
SHA512c5fc2283d55d9db8f2a8149e2b98f8c715a01faa6974ecbae101b68702cdaa8e6963be1a1615429a0088fe9ceaf73233f72b600c0db8e92392f19d2da7e0091c
-
Filesize
1KB
MD584b3c5735c0020a0194ce4d8c284483c
SHA14d3aa7fbb8443fb2310830a98ba561c8105d6fe0
SHA256c3cdcf5888b668bd7fc6ee6e104432d371ebad784d24189e323bea0cd5bc418e
SHA512c5f0c67847026d28286ca8ca608966efaaed6699599e2c9c8d9eb02610ec8dd5c00ca32b31ebe61cb985bdd54093b052313e72806bfe62349463c253c8fbafcf
-
Filesize
2KB
MD51a2520e12b74249b5ad6c79f13220965
SHA1bec4a24f74e6119fbd349dd5aeb5595e06bbe1bf
SHA25645ff74c7d8263414a8b935ab25a7e7b7595b632f7f5ebf129d6e1bb0acce5b73
SHA5120fcad4d264112c410d71c41606f0dace65a348c5e2cc3c15d9d7996f117d912ebcc4679de7b4bb2b48f3e6d8437b0fbee23d42ea96a9fc4634043810a76e2800
-
Filesize
371B
MD55a283b8ff698607d84cabca50b6fddff
SHA1727a38ef541f191d52101ef8246cd8a874c82200
SHA25613cdca5f41b236693a10132e0c1a8622c8ddebf709ee553390c1b18460465262
SHA51201a6cbd54a1cd66fe48d02d611eace4a18c8342b96c35c02e82b52142494327102240c8a7c864c606d7b1228883a58333128a69e292267f7aa6088a761b62093
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e7a6b99f52a9f94ead7c25ca52a0391e
SHA16b76da49f7870444841db06e69cfcb7bf95fb949
SHA25681afc4351d4e409fd9645dbec677c0500c8bc1400f498b13a452142a35fcbadf
SHA51268fa989b7eee8d57787bf7e6217a4dbe4c89da086f80fd075ddcc9fdd14d95f0b6b55382254bf0cf39e14574f84328033a408e2cee1fafa495e70be3d0fabcf2
-
Filesize
11KB
MD53aa65336e9b5a9acffbba8e11ceca979
SHA1f6b5d8d777b9fb6d1c499cdde857a538056665ab
SHA256bc7b70362046a03d738e2ca7e0cb7960bbe6233a379a872851581632e54ac680
SHA512aca86ec45d5095fef9ebe564f63d9241f047111f8bd76e5a23f046c94f7df79d486db81af3a70083e2dd91f0cc0f71fcb2c513c086007820246cbd527d4efaa5
-
Filesize
10KB
MD50f9c5f144a3d0e27fa1a3382c5dfe5c9
SHA1caf6bab8fb31e3f78ccc60fa17219d87edf48cfc
SHA25675673e0f40898f3d7a135e84db525f06195a75534faacc6a6d5c9b7216469288
SHA51254760829a49f3f53b47d8faf09346f8e3f62a6cd7ade27b481dd93eb02ef07c6de155eed1ed8ad44f56a388372a43abeec54c7843c8ae7981b2d8bb8d1169f45
-
Filesize
11KB
MD550bada0541cd07f59804bbe4405506ba
SHA1a0622d575f688e3f2b5ddd193d4566d8148c7676
SHA256258b150837e229b95964e6bf57f7abee2f7e33eacf526e15f8ddc5de49e0db34
SHA512b1f1bb240cade0ab8e74ecbdccb6fe49b6ef4086fbac030691899b4fbed972302cfca33b2705aef964f34b0518d7c8ceb07c593d107c32a4985e89ae6290bdf7
-
Filesize
11KB
MD5f3ab242d8c9b2e0cb26ee3dcca4c1ff7
SHA1d267e3c2fa634f08467b10e02164e9679668cfc1
SHA256a5f2f37a92346824a32eff547f1e2e7983e21d41882683416af3963698913a29
SHA51223ef79708f9c1312e5064e3d9074ef29fbc89dc9654f21d453655af76da6f4e1f695d012b906b6a8ff63ac58621a2f4d2b54c7e077e6b425e289c2f29eef6bf1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
31KB
MD5c261c6e3332d0d515c910bbf3b93aab3
SHA1ff730b6b2726240df4b2f0db96c424c464c65c17
SHA2564663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9
SHA512a93bd7b1d809493917e0999d4030cb53ab7789c65f6b87e1bbac27bd8b3ad2aeb92dec0a69369c04541f5572a78f04d8dfba900624cf5bd82d7558f24d0a8e26
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
127B
MD5ea3152149600326656e1f74ed207df9e
SHA1361f17db9603f8d05948d633fd79271e0d780017
SHA256f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816
SHA5125f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52
-
Filesize
2KB
MD5f4c4206730e2752350f5b5aee2983ea1
SHA15b5417be8f8247d1ce463f3788cb1371d5832b91
SHA2569cee2185f6cac42fea8c852d27a348f97f1ad8c1015cdc9859aabd568a68cadd
SHA5129ee1997a9e9f1617e42ff44f0244607ec41b339ddb09c17a1359070cba4a35616eef4f367f93e5e695a1d9b5b6910fdd2ee2af8bace2706fa94e7b44d41a8777
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
828KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
828KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
9.1MB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
56KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
5.7MB
-
Filesize
5.7MB