mydoom | 25170b69688ea4173e7b6885fc2a4f19788b079dd7633003f9567f9d8210caac

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe
Size

28KB
MD5

8a8676ba6835a04127ea0d79dbd5747f
SHA1

7956a0700085fb19fd912565fa45f676e86d6dd8
SHA256

25170b69688ea4173e7b6885fc2a4f19788b079dd7633003f9567f9d8210caac
SHA512

856aa358707855d97f0eca6e93827f518f9e6a39b145df8204067592a04c16cf30cbc99d659cdcf607403f2378dcaad63674092aead3b4ab602cf16197dd4997
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNiU9uy:Dv8IRRdsxq1DjJcqfxU9uy

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/3868-18-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3220-42-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2760-47-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3868-517-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3868-541-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3868-621-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
4824	services.exe
3868	java.exe
216	services.exe
4088	services.exe
1364	services.exe
4676	services.exe
3316	services.exe
3220	java.exe
4188	services.exe
3412	services.exe
4708	services.exe
3144	services.exe
4860	services.exe
5060	services.exe
5064	services.exe
4840	services.exe
4516	services.exe
1044	services.exe
2764	services.exe
468	services.exe
1552	services.exe
3132	services.exe
4388	services.exe
4672	services.exe
2580	services.exe
1648	services.exe
2068	services.exe
5196	services.exe
5280	services.exe
5300	services.exe
5316	services.exe
5512	services.exe
5552	services.exe
5708	services.exe
5788	services.exe
5848	services.exe
5856	services.exe
5992	services.exe
6072	services.exe
6108	services.exe
5308	services.exe
5884	services.exe
5820	services.exe
6208	services.exe
6264	services.exe
6272	services.exe
6436	services.exe
6496	services.exe
6576	services.exe
6612	services.exe
6620	services.exe
6720	services.exe
6728	services.exe
6768	services.exe
7128	services.exe
7144	services.exe
6248	services.exe
6896	services.exe
6188	services.exe
7180	services.exe
7344	services.exe
7412	services.exe
7488	services.exe
7692	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2760-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4824-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000b000000024020-4.dat	upx
behavioral2/files/0x00080000000240a8-14.dat	upx
behavioral2/memory/216-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3868-18-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4088-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3220-42-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3220-38-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2760-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4824-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4860-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/216-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5060-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4088-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5064-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1364-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3316-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4676-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2764-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1044-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4188-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3412-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4708-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3132-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3144-100-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4672-106-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-117-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4840-112-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5196-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2764-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5316-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-133-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/468-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5280-128-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5552-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4388-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4672-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5708-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1648-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5788-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2580-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5992-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5196-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5300-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5308-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5316-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6108-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5820-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5884-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5512-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5552-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5708-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6208-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5848-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6272-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6264-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5856-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6436-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6496-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6072-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6612-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6768-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6728-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe
File created	C:\Windows\services.exe	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe
File created	C:\Windows\java.exe	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe
File created	C:\Windows\services.exe	java.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
18980	16832	WerFault.exe	1057
10216	3868	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	16212	dwm.exe
Token: SeChangeNotifyPrivilege	16212	dwm.exe
Token: 33	16212	dwm.exe
Token: SeIncBasePriorityPrivilege	16212	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
16112	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4824	2760	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe	86
PID 2760 wrote to memory of 4824	2760	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe	86
PID 2760 wrote to memory of 4824	2760	JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe	86
PID 2364 wrote to memory of 3868	2364	cmd.exe	94
PID 2364 wrote to memory of 3868	2364	cmd.exe	94
PID 2364 wrote to memory of 3868	2364	cmd.exe	94
PID 3868 wrote to memory of 216	3868	java.exe	96
PID 3868 wrote to memory of 216	3868	java.exe	96
PID 3868 wrote to memory of 216	3868	java.exe	96
PID 2892 wrote to memory of 4088	2892	cmd.exe	101
PID 2892 wrote to memory of 4088	2892	cmd.exe	101
PID 2892 wrote to memory of 4088	2892	cmd.exe	101
PID 980 wrote to memory of 1364	980	cmd.exe	104
PID 980 wrote to memory of 1364	980	cmd.exe	104
PID 980 wrote to memory of 1364	980	cmd.exe	104
PID 3716 wrote to memory of 4676	3716	cmd.exe	107
PID 3716 wrote to memory of 4676	3716	cmd.exe	107
PID 3716 wrote to memory of 4676	3716	cmd.exe	107
PID 4416 wrote to memory of 3316	4416	cmd.exe	108
PID 4416 wrote to memory of 3316	4416	cmd.exe	108
PID 4416 wrote to memory of 3316	4416	cmd.exe	108
PID 4208 wrote to memory of 3220	4208	cmd.exe	111
PID 4208 wrote to memory of 3220	4208	cmd.exe	111
PID 4208 wrote to memory of 3220	4208	cmd.exe	111
PID 2384 wrote to memory of 4188	2384	cmd.exe	114
PID 2384 wrote to memory of 4188	2384	cmd.exe	114
PID 2384 wrote to memory of 4188	2384	cmd.exe	114
PID 5012 wrote to memory of 3412	5012	cmd.exe	117
PID 5012 wrote to memory of 3412	5012	cmd.exe	117
PID 5012 wrote to memory of 3412	5012	cmd.exe	117
PID 668 wrote to memory of 4708	668	cmd.exe	120
PID 668 wrote to memory of 4708	668	cmd.exe	120
PID 668 wrote to memory of 4708	668	cmd.exe	120
PID 768 wrote to memory of 3144	768	cmd.exe	123
PID 768 wrote to memory of 3144	768	cmd.exe	123
PID 768 wrote to memory of 3144	768	cmd.exe	123
PID 792 wrote to memory of 4860	792	cmd.exe	124
PID 792 wrote to memory of 4860	792	cmd.exe	124
PID 792 wrote to memory of 4860	792	cmd.exe	124
PID 4272 wrote to memory of 5060	4272	cmd.exe	131
PID 4272 wrote to memory of 5060	4272	cmd.exe	131
PID 4272 wrote to memory of 5060	4272	cmd.exe	131
PID 1080 wrote to memory of 5064	1080	cmd.exe	134
PID 1080 wrote to memory of 5064	1080	cmd.exe	134
PID 1080 wrote to memory of 5064	1080	cmd.exe	134
PID 4848 wrote to memory of 4840	4848	cmd.exe	137
PID 4848 wrote to memory of 4840	4848	cmd.exe	137
PID 4848 wrote to memory of 4840	4848	cmd.exe	137
PID 3696 wrote to memory of 4516	3696	cmd.exe	140
PID 3696 wrote to memory of 4516	3696	cmd.exe	140
PID 3696 wrote to memory of 4516	3696	cmd.exe	140
PID 2164 wrote to memory of 1044	2164	cmd.exe	141
PID 2164 wrote to memory of 1044	2164	cmd.exe	141
PID 2164 wrote to memory of 1044	2164	cmd.exe	141
PID 880 wrote to memory of 2764	880	cmd.exe	142
PID 880 wrote to memory of 2764	880	cmd.exe	142
PID 880 wrote to memory of 2764	880	cmd.exe	142
PID 520 wrote to memory of 468	520	cmd.exe	149
PID 520 wrote to memory of 468	520	cmd.exe	149
PID 520 wrote to memory of 468	520	cmd.exe	149
PID 4756 wrote to memory of 1552	4756	cmd.exe	152
PID 4756 wrote to memory of 1552	4756	cmd.exe	152
PID 4756 wrote to memory of 1552	4756	cmd.exe	152
PID 4356 wrote to memory of 3132	4356	cmd.exe	155

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8676ba6835a04127ea0d79dbd5747f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 4412
    3⤵
    - Program crash
    PID:10216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4156
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4456
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:472
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5400
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5932
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6044
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5128
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6140
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6488
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6320
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:7708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7760
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7808
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7988
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7264
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8316
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:9292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8424
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9004
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9104
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9400
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9436
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:9736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9532
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10044
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10132
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10424
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10772
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10956
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9932
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10864
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11556
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12292
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12456
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12812
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13384
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:14408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13736
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13868
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14468
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:15520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14808
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:15648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16128
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15636

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:16212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14556
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2204
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:16668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16956
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:19088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19676
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:19904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20164

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:20292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:16112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14236
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:20320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:20396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3976
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3480
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7480
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8504
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7316
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16824
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 16832 -s 204
    3⤵
    - Program crash
    PID:18980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 16832 -ip 16832
1⤵
PID:15112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9F6MUY9F\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IBI1KJ4T\AAOYU8GQ.htm

Filesize
153KB

MD5
f22d1b821eb1dac7b511b80e4964bf6f

SHA1
e9b502de1b2315143a9861e0b6125290978e6706

SHA256
c8f490664c69423bcaaf6d35d7f8c96fc412554a932f231ad69ebe8bc880a70a

SHA512
a4094d9b3869c98bc784b3c2b83234725607df31217471a3980ece0ebd9054e6b9d4ede391573dbe66aedd4d2997221dcd04705635499307996a1e3f42a9b559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IBI1KJ4T\default[2].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N5ALNTYG\OJ3SRA21.htm

Filesize
153KB

MD5
a0954bfc2681fbb2149946f7ee5163f4

SHA1
296a99fee10da0715d7219a79836e7db231a4489

SHA256
31f8a6c7849f7d5552a676248d7150c2ddc56bf1c337d6574725179d559cc611

SHA512
162d0912be1c7addee5fab7f59c562e69fa4106610449c95f7779f8e42167df0721a0204ec60aec8b97f2e50077420cc106fa293bc70060e704205191cc34a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N5ALNTYG\search[4].htm

Filesize
115KB

MD5
8c348c76447a21a86cd753d78d7bcab5

SHA1
176199a41953d30402c1f3230d35a0afc67fd04d

SHA256
82c0798b60dbbd8ffa8710efe172ba3fd9170a06439c001ff3b4327fff1c1797

SHA512
3fd9996c43cf818e16b25d674bbd67f50ef9d167e9b4c6423d3ff75f8915fa2d02d679bf6febd977d4002b4bf484dd67d637e5532d9fe6f56f171dae9fed2ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V9Y5VY4E\results[1].htm

Filesize
1KB

MD5
7278e4ff28ec60fea50a08ab6a8736ea

SHA1
fa2f4fe5d79a8fe1395457c5dda20977c90a9195

SHA256
ebb0f059505efe92997be0ccba6bc8dc52c513ab40165b7b1f8d186f1eaa6c44

SHA512
dcedfae46385c12977bd6bedd83fe17bd03be79b23c74b3bfa6e93bcbc364657901246d5e85e6e4060bc3caaf61f4ecfd25255150553be086f81bea2d29d1465

Download Submit
C:\Users\Admin\AppData\Local\Temp\H3uhdzsU.log

Filesize
1KB

MD5
933389eb606d3ba22db06b351ff1133b

SHA1
faabdd78abe491d5ea759701a408540abef6866b

SHA256
6e15f97e2bd9ab7835e95a891f20a625c62397ccbe65de671143b44de5499a82

SHA512
99b0ab8c2af23e3e95b3feb23c51c7d4876c1b0417936279493eaf3a924babb6e3d65ab6a0928e2af82b3ff21e58772c6fdcd723eeda0dbd200c0084aaaaa1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\H3uhdzsU.log

Filesize
1KB

MD5
44d18134f736d133dd7b7f432406263e

SHA1
09d3d95c970246cbf141aac86baff806fea19114

SHA256
0e3281669f9b88dc92bbc4e8dde46b0a144ab8bce8dc45e58ed06b8a7e72a201

SHA512
80ca16d8d5db9d37ac19db6f3058b19da8159b41998b338fafdf3f21f106b9a2d01c7d371c2e9f5ee6eb823c83e796f0dd1ba1ceeeb890b250e1b6e66b8526ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A2A.tmp

Filesize
28KB

MD5
a26d432d4df8f1da7d37febc6c73a310

SHA1
7799d4c950f42897196dff692bce2d9a7547b1bd

SHA256
ab9d3d823d62b344019ab8aec12a6f775b73e415dccaec78bf93e9b15c57c736

SHA512
79e4d0a0e87596358d238e0685b4f90cf58b31ff39e67b926a84fb3595973f41915c8a8723cfc638f461d8510ce4f59a63612b63aea80b5bcb59dee9458a522f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f5eef6c0f5ad9e39a8d341cb4c79555f

SHA1
47d98ac5d09ad3de046ae07a01865e07e74d3a5e

SHA256
618d5b899085231afa33c6b326a43886825f02a9b463859604a03c70ab939938

SHA512
1c111a2c850eccda1d99ccba9e85e95cda162aeca8c92efca6e4b940b132323d226213f6530b5e07d30b108db169990eba08f857eb46cc7f175e20a2c90aaf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
10427b3a3876ca01eafa843901a8d3a6

SHA1
69c1747deedcab08e7bfeb72a4b799e130291a5f

SHA256
f43b4efeb6ecb01cbda8947a00191b4a8e1b4e7bd1c4b81205975fd58aecc94e

SHA512
91e78c0b249f598009f56e6c2bd8f32b290cef93d498fde0435ec0d66757ab29c3366400cf006d841b06f29560be64c9c8db0349982520aee258185c1ee9ee7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
326cdca1e89c70ba0226041c54e88d97

SHA1
76ecdc9932ab43022b7e9116339a011662fe22a4

SHA256
69669d05e14852d62ba59aee5cb81099b62eaf1275955adf6d8c3ecc6417b817

SHA512
c9a4fe2c43f86927ce6442f03215f62d6c08a657fad047b7a5cd55fdbc40ca4761051b8389567e7b1cd9045fa07698fbe07ee4b2f4f98a5a5f1b8292fd9868d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
32B

MD5
bbe8c331433c6c60d8ab72bb76b33d40

SHA1
9ce9dedd87643379f5a658902292b7ccf3ee59ba

SHA256
cdd9477c213971fbe35daa82e5951806f543890cc51c643b49a1a5df261349b2

SHA512
159421604649ec01ac25311da8c57682d98fa86a944020c733b30cd1583473632b720bc3fe08919ad29788172b221768d2579f0312bd586c2bc5f5d216c1f87a

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
8a8676ba6835a04127ea0d79dbd5747f

SHA1
7956a0700085fb19fd912565fa45f676e86d6dd8

SHA256
25170b69688ea4173e7b6885fc2a4f19788b079dd7633003f9567f9d8210caac

SHA512
856aa358707855d97f0eca6e93827f518f9e6a39b145df8204067592a04c16cf30cbc99d659cdcf607403f2378dcaad63674092aead3b4ab602cf16197dd4997

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/216-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/216-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/468-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1044-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1364-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1648-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2580-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2760-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2764-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2764-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3132-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3144-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3220-42-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3220-38-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3316-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3412-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3868-621-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3868-517-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3868-541-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3868-18-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4088-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4088-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4188-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4672-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4672-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4676-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4708-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-515-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-619-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-279-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-540-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-922-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4840-112-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4860-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5060-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5064-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5196-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5196-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5280-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5300-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5308-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5316-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5316-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5512-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5552-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5552-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5708-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5708-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5788-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5820-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5820-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5848-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5856-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5884-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5992-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6072-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6108-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6188-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6208-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6248-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6264-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6264-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6272-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6272-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6436-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6496-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6576-201-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6612-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6612-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6620-205-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6720-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6728-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6728-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6768-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6768-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6896-199-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7128-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7144-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7144-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7180-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7344-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7412-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7488-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7684-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7692-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7700-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-238-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7932-243-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7956-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8040-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8048-249-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8064-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8244-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8372-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8452-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8656-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8752-250-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/19356-685-0x00007FF853710000-0x00007FF853905000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads