Analysis
-
max time kernel
93s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-06-2024 19:44
General
-
Target
133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe
-
Size
817KB
-
MD5
133599b578dae8bb9183cabf8bd938df
-
SHA1
95b1b4ae27f70dc7d5353279a89aedf4e433d1c2
-
SHA256
59e67f556f5ab4550c7d64d98b7f36c3d8b802a5063ad54b5ac92aa0b8ec8200
-
SHA512
095d914b943d13938af9366bce4b7272887c83d8d128415a884f30237cfcb689c86d23d6d4222814123f3722f4943f72655afc3ee41db8177c94999d9df31ad6
-
SSDEEP
24576:90QRWoJEfg0oChGdJQbjPbNW5tYeP+GFjBKb:aQRV2o3MPY5AF
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest17
C2
yahoo420.zapto.org:9031
Mutex
DC_MUTEX-K9KK91N
Attributes
-
InstallPath
svchost.exe
-
gencode
AzFwA3PAdR1R
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 28 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\133599b578dae8bb9183cabf8bd938df_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h5⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h5⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 45⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 46⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h7⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 47⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 48⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h9⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 49⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h10⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 410⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h11⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 411⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h12⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h12⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 412⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h13⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"12⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 413⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h14⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h14⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 414⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h15⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"14⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 415⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h16⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h16⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 416⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h17⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 417⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h18⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h18⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 418⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h18⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h19⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 419⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h20⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 420⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h21⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h21⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"20⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 421⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"21⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV122⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 422⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h23⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 423⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h24⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h24⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"23⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 424⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h25⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h25⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"24⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 425⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h26⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 426⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h27⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h27⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"26⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 427⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h28⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h28⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"27⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 428⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h29⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h29⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"28⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 429⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h30⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h30⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"29⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 430⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h31⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h31⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"30⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 431⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h32⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h32⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 432⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h33⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h32⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h33⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"32⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 433⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h33⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h34⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h34⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"33⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 434⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h35⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h35⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"34⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 435⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h35⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h36⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h36⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"35⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 436⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h36⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h37⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h37⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"36⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 437⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h37⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h38⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h37⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 438⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"37⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h39⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h39⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"38⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 439⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h40⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h40⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"39⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 440⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h41⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h41⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"40⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 441⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h42⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h42⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"41⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 442⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"41⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h43⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h43⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"42⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 443⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h43⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV144⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h44⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h44⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"43⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV144⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 444⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"43⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h45⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h45⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"44⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 445⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h46⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h46⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"45⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 446⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h46⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h47⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h47⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"46⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 447⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h48⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h48⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"47⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 448⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h49⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h49⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"48⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 449⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h50⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h50⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"49⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 450⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h51⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h51⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"50⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 451⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h52⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h52⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"51⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 452⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h52⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h53⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h53⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"52⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 453⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h54⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h53⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV154⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h54⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"53⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 454⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"53⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h55⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h55⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"54⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 455⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h56⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h56⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"55⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 456⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"55⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h57⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h57⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"56⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 457⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"56⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h58⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h58⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"57⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 458⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h59⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h59⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"58⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 459⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h60⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h60⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"59⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 460⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h61⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h61⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"60⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 461⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h62⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV162⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h62⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV162⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 462⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h63⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h62⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h63⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"62⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 463⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h64⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h64⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"63⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 464⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"63⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h65⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h65⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"64⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 465⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h66⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h66⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"65⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 466⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"65⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h67⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h67⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"66⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 467⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"66⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h67⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV168⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h68⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h68⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"67⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 468⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"67⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h69⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h68⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h69⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"68⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 469⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"68⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h69⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV170⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h70⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h70⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"69⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 470⤵
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h71⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h71⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 471⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"70⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h72⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h71⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h72⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"71⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 472⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"71⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe" +s +h73⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R" +s +h73⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\AzFwA3PAdR1R\AzFwA3PAdR1R\svchost.exe"72⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 473⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe"C:\Windows\system32\AzFwA3PAdR1R\svchost.exe"72⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exe" +s +h73⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\AzFwA3PAdR1R" +s +h73⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\AzFwA3PAdR1R\svchost.exeFilesize
817KB
MD5133599b578dae8bb9183cabf8bd938df
SHA195b1b4ae27f70dc7d5353279a89aedf4e433d1c2
SHA25659e67f556f5ab4550c7d64d98b7f36c3d8b802a5063ad54b5ac92aa0b8ec8200
SHA512095d914b943d13938af9366bce4b7272887c83d8d128415a884f30237cfcb689c86d23d6d4222814123f3722f4943f72655afc3ee41db8177c94999d9df31ad6
-
memory/1948-375-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2236-44-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2272-94-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2304-0-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/2304-14-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2728-79-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2892-26-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2892-91-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/2892-13-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/2924-76-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/3208-32-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/3388-64-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/3492-190-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/3492-153-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/3732-47-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/4736-49-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/4788-61-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5128-96-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5264-186-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5348-126-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5552-108-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5692-111-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5976-239-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6032-138-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6072-122-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6116-141-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6160-156-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6520-168-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6684-170-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/6816-188-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7040-183-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7216-276-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7228-251-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7236-202-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7364-222-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7396-205-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7540-300-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7588-224-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7752-363-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7764-217-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/7936-220-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8048-236-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8112-299-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8120-364-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8256-252-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8588-263-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8780-264-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8884-338-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/8980-287-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9088-275-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9160-288-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9380-325-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9396-311-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9580-312-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9760-336-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/9908-323-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10108-324-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10168-337-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10168-376-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10268-349-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10540-350-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/10864-361-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/11088-362-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/11360-387-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/11516-388-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/11876-389-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB