5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79

Analysis

max time kernel
147s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28/12/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe
Size

1.2MB
MD5

635afddc2a93e6fa556d320431a70668
SHA1

854ac114dcb8b00f0538db3ed76c8c7b1a381f14
SHA256

5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79
SHA512

edbeac6dd1ae291e2335e6fdc28b209b7c0b9e2124d13616ea68936d25e336ab71f6e48d6e9f461cdacec21b3fa1deefb51e094d0e2a2f44c69a93d5711a9b7b
SSDEEP

24576:6Ds4JwTnl1mEiWKlNsmqDpyOnDlcCqaF5Q:6DYnTiWz0QcCq

Score

4^/10

discovery

Malware Config

Signatures

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2136	sc.exe
2152	sc.exe
3236	sc.exe
2852	sc.exe
344	sc.exe
3000	sc.exe
3368	sc.exe
3940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 15 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe
2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2440	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	30
PID 2748 wrote to memory of 2440	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	30
PID 2748 wrote to memory of 2440	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	30
PID 2748 wrote to memory of 2440	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	30
PID 2440 wrote to memory of 2852	2440	cmd.exe	32
PID 2440 wrote to memory of 2852	2440	cmd.exe	32
PID 2440 wrote to memory of 2852	2440	cmd.exe	32
PID 2440 wrote to memory of 2852	2440	cmd.exe	32
PID 2748 wrote to memory of 2180	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	33
PID 2748 wrote to memory of 2180	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	33
PID 2748 wrote to memory of 2180	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	33
PID 2748 wrote to memory of 2180	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	33
PID 2180 wrote to memory of 2896	2180	cmd.exe	35
PID 2180 wrote to memory of 2896	2180	cmd.exe	35
PID 2180 wrote to memory of 2896	2180	cmd.exe	35
PID 2180 wrote to memory of 2896	2180	cmd.exe	35
PID 2896 wrote to memory of 2904	2896	net.exe	36
PID 2896 wrote to memory of 2904	2896	net.exe	36
PID 2896 wrote to memory of 2904	2896	net.exe	36
PID 2896 wrote to memory of 2904	2896	net.exe	36
PID 2748 wrote to memory of 2948	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	37
PID 2748 wrote to memory of 2948	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	37
PID 2748 wrote to memory of 2948	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	37
PID 2748 wrote to memory of 2948	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	37
PID 2948 wrote to memory of 2768	2948	cmd.exe	39
PID 2948 wrote to memory of 2768	2948	cmd.exe	39
PID 2948 wrote to memory of 2768	2948	cmd.exe	39
PID 2948 wrote to memory of 2768	2948	cmd.exe	39
PID 2768 wrote to memory of 2812	2768	net.exe	40
PID 2768 wrote to memory of 2812	2768	net.exe	40
PID 2768 wrote to memory of 2812	2768	net.exe	40
PID 2768 wrote to memory of 2812	2768	net.exe	40
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2960	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	42
PID 2748 wrote to memory of 2280	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	46
PID 2748 wrote to memory of 2280	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	46
PID 2748 wrote to memory of 2280	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	46
PID 2748 wrote to memory of 2280	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	46
PID 2280 wrote to memory of 1176	2280	cmd.exe	48
PID 2280 wrote to memory of 1176	2280	cmd.exe	48
PID 2280 wrote to memory of 1176	2280	cmd.exe	48
PID 2280 wrote to memory of 1176	2280	cmd.exe	48
PID 1176 wrote to memory of 2924	1176	net.exe	49
PID 1176 wrote to memory of 2924	1176	net.exe	49
PID 1176 wrote to memory of 2924	1176	net.exe	49
PID 1176 wrote to memory of 2924	1176	net.exe	49
PID 2748 wrote to memory of 616	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	50
PID 2748 wrote to memory of 616	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	50
PID 2748 wrote to memory of 616	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	50
PID 2748 wrote to memory of 616	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	50
PID 616 wrote to memory of 1612	616	cmd.exe	52
PID 616 wrote to memory of 1612	616	cmd.exe	52
PID 616 wrote to memory of 1612	616	cmd.exe	52
PID 616 wrote to memory of 1612	616	cmd.exe	52
PID 1612 wrote to memory of 984	1612	net.exe	53
PID 1612 wrote to memory of 984	1612	net.exe	53
PID 1612 wrote to memory of 984	1612	net.exe	53
PID 1612 wrote to memory of 984	1612	net.exe	53
PID 2748 wrote to memory of 2844	2748	5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe	55

C:\Users\Admin\AppData\Local\Temp\5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe
"C:\Users\Admin\AppData\Local\Temp\5a89a43a497faf2152cc5b8ecda8bb6c84d047e4fd53418ed78fa5f73cd69e79.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:984
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:316
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:592
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2256
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:1664
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2692
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1572
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:3088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:3096
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:3436
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:3668
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3776
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:3856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:348
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2280
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:316
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:1100
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:1272
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      PID:2740
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:3096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config "UxSms" start= demand
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\sc.exe
    sc config "UxSms" start= demand
    3⤵
    - Launches sc.exe
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Desktop Window Manager Session Manager"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Windows\SysWOW64\net.exe
    net stop "Desktop Window Manager Session Manager"
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start "Desktop Window Manager Session Manager"
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net.exe
    net start "Desktop Window Manager Session Manager"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3344
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
  2⤵
  - Modifies Control Panel
  PID:3312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2868

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4004

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1744

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:824

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2516

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2356

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2736

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3308

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3488

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3880

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2616

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:532

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2336

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1640

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2516

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2992

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3252

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
79c80670a1f627e86c477f22bd2401a0

SHA1
bff9611be80b049401721d51c89f6ab36436ecec

SHA256
efba6b2855bd351e2d47ca88a3b0e5c664146375262f0fb38f6eefb0809d7eaa

SHA512
8afa82b401b1f35433f3187d13b46bd8638884de5f11f7a8b207e304290a077d45511faf5c0bc15025995c797537ad5c67b4b1683ef0ebc43e20d03834be20ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
29e0e345438882a935d2c0baff457f6c

SHA1
aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a

SHA256
0c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6

SHA512
8b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
159bd6a587f370f16522b2a6f690bcc3

SHA1
c07d14fc439997e2f65b982c0702a985b36b9cf8

SHA256
9193c9b28f4e19c5fbd00340dce578825fbc6ce6ab67b1c9082c0d8f64446993

SHA512
a1ddc058193d778b3935ef8f158bb06f014de72124d5561a4d7af99e77921bcfe5ffcb24a1375917d5e438e0f2a1dccb96c1bdc2fa5b6aaf75ca5cabe1788e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
05471356f0ea1c0f5f5b8deb29c3ebd1

SHA1
12b14b737d1e0f76ca2494fb7a6841e5792a0504

SHA256
cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7

SHA512
942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b

Download Submit