61df554845a8c429c73b5908d9da9c8930e2172ca5b980019237414a66868acc

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IM_SHITTING_MY_PANTSgsa.bat
Size

57B
MD5

be98e5353cac597d22d950df7f1d3e36
SHA1

b9008c3353d4be455902076163ac98d549bf9612
SHA256

61df554845a8c429c73b5908d9da9c8930e2172ca5b980019237414a66868acc
SHA512

31fa4751a6c3c1581dd03be50a073e36ed3390f9d1d868c3548f22a4450ec62dc09af7890fa8d510178ae4604d28b14555dd8d9871ca64349ff21cba3c4e144d

Score

3^/10

Malware Config

Signatures

Program crash 12 IoCs

pid	pid_target	Process	procid_target
12724	11160	WerFault.exe
12748	9336	WerFault.exe	378
12764	11144	WerFault.exe
12828	2736	WerFault.exe	26
14228	10660	WerFault.exe
14284	14180	WerFault.exe	665
13780	12924	WerFault.exe
13932	11428	WerFault.exe	650
14196	13800	WerFault.exe	661
14200	13872	WerFault.exe
13156	13888	WerFault.exe	667
13604	13848	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12776	dwm.exe
Token: SeChangeNotifyPrivilege	12776	dwm.exe
Token: 33	12776	dwm.exe
Token: SeIncBasePriorityPrivilege	12776	dwm.exe
Token: SeCreateGlobalPrivilege	1812	dwm.exe
Token: SeChangeNotifyPrivilege	1812	dwm.exe
Token: 33	1812	dwm.exe
Token: SeIncBasePriorityPrivilege	1812	dwm.exe
Token: SeCreateGlobalPrivilege	10644	dwm.exe
Token: SeChangeNotifyPrivilege	10644	dwm.exe
Token: 33	10644	dwm.exe
Token: SeIncBasePriorityPrivilege	10644	dwm.exe
Token: SeCreateGlobalPrivilege	13164	dwm.exe
Token: SeChangeNotifyPrivilege	13164	dwm.exe
Token: 33	13164	dwm.exe
Token: SeIncBasePriorityPrivilege	13164	dwm.exe
Token: SeShutdownPrivilege	13164	dwm.exe
Token: SeCreatePagefilePrivilege	13164	dwm.exe
Token: SeShutdownPrivilege	13164	dwm.exe
Token: SeCreatePagefilePrivilege	13164	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4964	4564	cmd.exe	84
PID 4564 wrote to memory of 4964	4564	cmd.exe	84
PID 4564 wrote to memory of 4980	4564	cmd.exe	86
PID 4564 wrote to memory of 4980	4564	cmd.exe	86
PID 4564 wrote to memory of 4272	4564	cmd.exe	91
PID 4564 wrote to memory of 4272	4564	cmd.exe	91
PID 4564 wrote to memory of 4796	4564	cmd.exe	89
PID 4564 wrote to memory of 4796	4564	cmd.exe	89
PID 4564 wrote to memory of 4488	4564	cmd.exe	92
PID 4564 wrote to memory of 4488	4564	cmd.exe	92
PID 4564 wrote to memory of 3544	4564	cmd.exe	94
PID 4564 wrote to memory of 3544	4564	cmd.exe	94
PID 4564 wrote to memory of 2144	4564	cmd.exe	96
PID 4564 wrote to memory of 2144	4564	cmd.exe	96
PID 4564 wrote to memory of 1288	4564	cmd.exe	98
PID 4564 wrote to memory of 1288	4564	cmd.exe	98
PID 4564 wrote to memory of 2352	4564	cmd.exe	100
PID 4564 wrote to memory of 2352	4564	cmd.exe	100
PID 4564 wrote to memory of 3408	4564	cmd.exe	102
PID 4564 wrote to memory of 3408	4564	cmd.exe	102
PID 4564 wrote to memory of 3208	4564	cmd.exe	103
PID 4564 wrote to memory of 3208	4564	cmd.exe	103
PID 4564 wrote to memory of 3092	4564	cmd.exe	104
PID 4564 wrote to memory of 3092	4564	cmd.exe	104
PID 4564 wrote to memory of 216	4564	cmd.exe	112
PID 4564 wrote to memory of 216	4564	cmd.exe	112
PID 4564 wrote to memory of 4736	4564	cmd.exe	110
PID 4564 wrote to memory of 4736	4564	cmd.exe	110
PID 4564 wrote to memory of 3880	4564	cmd.exe	108
PID 4564 wrote to memory of 3880	4564	cmd.exe	108
PID 4564 wrote to memory of 3636	4564	cmd.exe	114
PID 4564 wrote to memory of 3636	4564	cmd.exe	114
PID 4564 wrote to memory of 1860	4564	cmd.exe	116
PID 4564 wrote to memory of 1860	4564	cmd.exe	116
PID 4564 wrote to memory of 552	4564	cmd.exe	118
PID 4564 wrote to memory of 552	4564	cmd.exe	118
PID 4564 wrote to memory of 1716	4564	cmd.exe	120
PID 4564 wrote to memory of 1716	4564	cmd.exe	120
PID 4564 wrote to memory of 1776	4564	cmd.exe	121
PID 4564 wrote to memory of 1776	4564	cmd.exe	121
PID 4564 wrote to memory of 4664	4564	cmd.exe	124
PID 4564 wrote to memory of 4664	4564	cmd.exe	124
PID 4564 wrote to memory of 1548	4564	cmd.exe	125
PID 4564 wrote to memory of 1548	4564	cmd.exe	125
PID 4564 wrote to memory of 3160	4564	cmd.exe	128
PID 4564 wrote to memory of 3160	4564	cmd.exe	128
PID 4564 wrote to memory of 3704	4564	cmd.exe	129
PID 4564 wrote to memory of 3704	4564	cmd.exe	129
PID 4564 wrote to memory of 2336	4564	cmd.exe	132
PID 4564 wrote to memory of 2336	4564	cmd.exe	132
PID 4564 wrote to memory of 1040	4564	cmd.exe	134
PID 4564 wrote to memory of 1040	4564	cmd.exe	134
PID 4564 wrote to memory of 3268	4564	cmd.exe	135
PID 4564 wrote to memory of 3268	4564	cmd.exe	135
PID 4564 wrote to memory of 3824	4564	cmd.exe	138
PID 4564 wrote to memory of 3824	4564	cmd.exe	138
PID 4564 wrote to memory of 1200	4564	cmd.exe	140
PID 4564 wrote to memory of 1200	4564	cmd.exe	140
PID 4564 wrote to memory of 1340	4564	cmd.exe	141
PID 4564 wrote to memory of 1340	4564	cmd.exe	141
PID 4564 wrote to memory of 4612	4564	cmd.exe	143
PID 4564 wrote to memory of 4612	4564	cmd.exe	143
PID 4564 wrote to memory of 2748	4564	cmd.exe	145
PID 4564 wrote to memory of 2748	4564	cmd.exe	145

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IM_SHITTING_MY_PANTSgsa.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 11068 -ip 11068
1⤵
PID:12644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 9336 -ip 9336
1⤵
PID:12664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 9024 -ip 9024
1⤵
PID:12612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 11160 -s 468
1⤵
- Program crash
PID:12724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9336 -s 760
1⤵
- Program crash
PID:12748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 60 -ip 60
1⤵
PID:12740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 11144 -s 468
1⤵
- Program crash
PID:12764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 11308 -ip 11308
1⤵
PID:12792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 11144 -ip 11144
1⤵
PID:12708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 3672
1⤵
- Program crash
PID:12828

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 13196 -ip 13196
1⤵
PID:14180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 14180 -s 12
  2⤵
  - Program crash
  PID:14284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10660 -s 396
1⤵
- Program crash
PID:14228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 12924 -ip 12924
1⤵
PID:14236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 11428 -ip 11428
1⤵
PID:9008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12924 -s 396
1⤵
- Program crash
PID:13780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 13872 -ip 13872
1⤵
PID:13612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 11428 -s 396
1⤵
- Program crash
PID:13932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13800 -s 344
1⤵
- Program crash
PID:14196

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13872 -s 316
1⤵
- Program crash
PID:14200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 10620 -ip 10620
1⤵
PID:14284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 13888 -ip 13888
1⤵
PID:13688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 13756 -ip 13756
1⤵
PID:10560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 11420 -ip 11420
1⤵
PID:14264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 748 -p 13688 -ip 13688
1⤵
PID:11408

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:10644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13888 -s 404
1⤵
- Program crash
PID:13156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 1812 -ip 1812
1⤵
PID:10620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 13928 -ip 13928
1⤵
PID:13884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 13076 -ip 13076
1⤵
PID:13804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 392 -p 13880 -ip 13880
1⤵
PID:13620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13848 -s 272
1⤵
- Program crash
PID:13604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 13800 -ip 13800
1⤵
PID:13636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 10184 -ip 10184
1⤵
PID:14320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 12728 -ip 12728
1⤵
PID:14312

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:10808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads