Analysis
-
max time kernel
24s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
04-07-2024 00:11
General
-
Target
23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe
-
Size
380KB
-
MD5
23f5da47d1e3320198797ec21026ff20
-
SHA1
4d0c77335a3f00cdd266d384913072701795ce42
-
SHA256
c27d63aaaab8a73807dcc5cfc8d4ea41759da0a2a5aae290a1acf0fd00481c24
-
SHA512
f4f35e2f89840cf4a09570d4ff6ea916eb2339bc6ece8156544c112777efeeb25fc9017fc03ab9b2178f90dbc000bfe7bfa280878056d0ca1ce2371c830e49fa
-
SSDEEP
6144:8JicfqjN1+ZkfWH3eKR/VErZFIDSavR5XaqhuHA48hN+q/kaQU7NLT2TtsbRmkuu:ZDNUZwjKdyPa0qhu8Aqx7NH2Tt+
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe" +s +h4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\23f5da47d1e3320198797ec21026ff20_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h6⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 56⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h8⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h10⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 510⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 512⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h14⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h14⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h16⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 516⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h18⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h18⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"17⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 518⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h20⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h20⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h22⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h22⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"21⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 522⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h24⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h24⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"23⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 524⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h26⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h26⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h28⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h28⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"27⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 528⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h30⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h30⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"29⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 530⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h32⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h32⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 532⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h34⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h34⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"33⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 534⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h36⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h36⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"35⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 536⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h38⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 538⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h40⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h40⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"39⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 540⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h42⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h42⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"41⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 542⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h44⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h44⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"43⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 544⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h46⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h46⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"45⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 546⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h48⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h48⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"47⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 548⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h50⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h50⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"49⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 550⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h52⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h52⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"51⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 552⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h54⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h54⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"53⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 554⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h56⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h56⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"55⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 556⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe56⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h58⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h58⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"57⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 558⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h60⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h60⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"59⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 560⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h62⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h62⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"61⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 562⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h64⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h64⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"63⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 564⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h66⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h66⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"65⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 566⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe66⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h68⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h68⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"67⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 568⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h70⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h70⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"69⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 570⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe70⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h72⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h72⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"71⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 572⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h74⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h74⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"73⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 574⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h76⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h76⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"75⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 576⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe76⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h78⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h78⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"77⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 578⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe78⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h80⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h80⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"79⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 580⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe80⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h82⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h82⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"81⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 582⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe82⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h84⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h84⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"83⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 584⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe84⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h86⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h86⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"85⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 586⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe86⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h88⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h88⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"87⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 588⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe88⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h90⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h90⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"89⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 590⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe90⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h92⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h92⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"91⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 592⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe92⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h94⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h94⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"93⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 594⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe94⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h96⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h96⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"95⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 596⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe96⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h98⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h98⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"97⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 598⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe98⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h100⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h100⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"99⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5100⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe100⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h102⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h102⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"101⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5102⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe102⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h104⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h104⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"103⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5104⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe104⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h106⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h106⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"105⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5106⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe106⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h108⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h108⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"107⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5108⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe108⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h110⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h110⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"109⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5110⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe110⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h112⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"111⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5112⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe112⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h114⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h114⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"113⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5114⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe114⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h116⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h115⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h116⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"115⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5116⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe116⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h118⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h118⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"117⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5118⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe118⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h119⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h120⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"119⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5120⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe120⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h122⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h122⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"121⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5122⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe122⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h123⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h124⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h123⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h124⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"123⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5124⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe124⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h125⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h126⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h125⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h126⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"125⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5126⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe126⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h128⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h128⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"127⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5128⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe128⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h130⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h130⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"129⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5130⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"129⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe130⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h131⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h132⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h131⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h132⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"131⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5132⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"131⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe132⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h133⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h134⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h133⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h134⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"133⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5134⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"133⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe134⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h136⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h135⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h136⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"135⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5136⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"135⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe136⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h137⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h138⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h137⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h138⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"137⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5138⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"137⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe138⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h139⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h140⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h139⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h140⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"139⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5140⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"139⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe140⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h141⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h142⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h141⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h142⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"141⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5142⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"141⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe142⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h143⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h144⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h143⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h144⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"143⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5144⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"143⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe144⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h145⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h146⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h145⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h146⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"145⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5146⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"145⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe146⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h147⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h148⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h147⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h148⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"147⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5148⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"147⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe148⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h149⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h150⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h149⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h150⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"149⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5150⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"149⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe150⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h151⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h152⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h151⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h152⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"151⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5152⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"151⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe152⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h153⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h154⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h153⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h154⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"153⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5154⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"153⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe154⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h155⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h156⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h155⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h156⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"155⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5156⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"155⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe156⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h157⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h158⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h157⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h158⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"157⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5158⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"157⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe158⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h159⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h160⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h159⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h160⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"159⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5160⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"159⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe160⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h161⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h162⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h161⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h162⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"161⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5162⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"161⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe162⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h164⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h163⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h164⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"163⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5164⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"163⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe164⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h165⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h166⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h165⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h166⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"165⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5166⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"165⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe166⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h167⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h168⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h167⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h168⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"167⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5168⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"167⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe168⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h169⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h170⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h169⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h170⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"169⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5170⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"169⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe170⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h171⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h172⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h171⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h172⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"171⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5172⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"171⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe172⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h173⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h174⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h173⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h174⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"173⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5174⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"173⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe174⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h175⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h176⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h175⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h176⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"175⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5176⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"175⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe176⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h177⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h178⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h177⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h178⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"177⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5178⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"177⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe178⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h179⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h180⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h179⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h180⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"179⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5180⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"179⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe180⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h181⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h182⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h181⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h182⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"181⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5182⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"181⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe182⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h183⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h184⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h183⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h184⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"183⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5184⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"183⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe184⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h185⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h186⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h185⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h186⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"185⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5186⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"185⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe186⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h187⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h188⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h187⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h188⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"187⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5188⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"187⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe188⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h189⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h190⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h189⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h190⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"189⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5190⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"189⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe190⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h191⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h192⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h191⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h192⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"191⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5192⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"191⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe192⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h193⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h194⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h193⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h194⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"193⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5194⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"193⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe194⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h195⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h196⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h195⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h196⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"195⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5196⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"195⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe196⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h197⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h198⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h197⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h198⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"197⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5198⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"197⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe198⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h199⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h200⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h199⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h200⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"199⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5200⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"199⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe200⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h201⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h202⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h201⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h202⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"201⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5202⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"201⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe202⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h203⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h204⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h203⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h204⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"203⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5204⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"203⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe204⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h205⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h206⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h205⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h206⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"205⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5206⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"205⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe206⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h207⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h208⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h207⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h208⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"207⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5208⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"207⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe208⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h209⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h210⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h209⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h210⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"209⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5210⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"209⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe210⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h211⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h212⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h211⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h212⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"211⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5212⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"211⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe212⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h213⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h214⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h213⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h214⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"213⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5214⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"213⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe214⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h215⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h216⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h215⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h216⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"215⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5216⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"215⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe216⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h217⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h218⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h217⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h218⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"217⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5218⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"217⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe218⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h219⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h220⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h219⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h220⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"219⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5220⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"219⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe220⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h221⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h222⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h221⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h222⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"221⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5222⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"221⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe222⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h223⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h224⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h223⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h224⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"223⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5224⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"223⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe224⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h225⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h226⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h225⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h226⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"225⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5226⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"225⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe226⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h227⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h228⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h227⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h228⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"227⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5228⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"227⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe228⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h229⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h230⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h229⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h230⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"229⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5230⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"229⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe230⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h231⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h232⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h231⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h232⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"231⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5232⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"231⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe232⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h233⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h234⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h233⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h234⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"233⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5234⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"233⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe234⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h235⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h236⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h235⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h236⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"235⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5236⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"235⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe236⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h237⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h238⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h237⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h238⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\winlogon.exe"237⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5238⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"237⤵
-
C:\Windows\SysWOW64\winlogon.exeC:\Windows\SysWOW64\winlogon.exe238⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\winlogon.exe" +s +h239⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\winlogon.exe" +s +h240⤵
- Sets file to hidden