mydoom | 2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
Size

29KB
MD5

4bdf6ff55589f81e261c5f8ce04eddf3
SHA1

920140ce2dedee06b09c9e271e810cb34da5080f
SHA256

2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19
SHA512

3dad6863ec0565613ae13c132d84e2873020395188ab1dbceba06e6eeffb45251c5313a7758f37f662eaa92bb0a4d63c6e1cbc490c6ea6087f7e68cbb617cceb
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/qhY:AEwVs+0jNDY1qi/qyW

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/4212-34-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5632-45-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5956-50-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5956-509-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5956-534-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom
behavioral2/memory/5956-669-0x0000000000500000-0x0000000000510200-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
1172	services.exe
5956	java.exe
3944	services.exe
2904	services.exe
2836	services.exe
4212	java.exe
4424	services.exe
4548	services.exe
4564	services.exe
1788	services.exe
4792	services.exe
5232	services.exe
4860	services.exe
5032	services.exe
3936	services.exe
1944	services.exe
1484	services.exe
5696	services.exe
2500	services.exe
6112	services.exe
1628	services.exe
5272	services.exe
5988	services.exe
5804	services.exe
3244	services.exe
4116	services.exe
5992	services.exe
1116	services.exe
5396	services.exe
2916	services.exe
6028	services.exe
4460	services.exe
5004	services.exe
5820	services.exe
1108	services.exe
4040	services.exe
5180	services.exe
1512	services.exe
3732	services.exe
5436	services.exe
5788	services.exe
2856	services.exe
5224	services.exe
4804	services.exe
6152	services.exe
6244	services.exe
6312	services.exe
6348	services.exe
6448	services.exe
6504	services.exe
6512	services.exe
6684	services.exe
6692	services.exe
6760	services.exe
6908	services.exe
7032	services.exe
7040	services.exe
7124	services.exe
7140	services.exe
7156	services.exe
6176	services.exe
7248	services.exe
7312	services.exe
7384	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5632-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00070000000242ae-4.dat	upx
behavioral2/memory/1172-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00080000000242af-14.dat	upx
behavioral2/memory/2836-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4212-34-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5632-45-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5956-50-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1172-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5232-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2836-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2904-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4424-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5696-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4548-78-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4792-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1628-90-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6112-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1788-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5232-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5988-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4860-100-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3936-104-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5032-103-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3244-110-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4116-114-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1944-113-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5992-120-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1116-124-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5396-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2500-128-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1628-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6028-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5004-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4460-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5272-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5804-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4116-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1108-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1512-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5180-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3732-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6028-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5436-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2916-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5820-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6152-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6244-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5180-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6348-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6448-173-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5788-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6512-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5224-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4804-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6908-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6684-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2856-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6312-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6504-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6692-197-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/6760-199-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	java.exe
File created	C:\Windows\services.exe	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
File opened for modification	C:\Windows\java.exe	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
File created	C:\Windows\java.exe	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
18336	5956	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14472	dwm.exe
Token: SeChangeNotifyPrivilege	14472	dwm.exe
Token: 33	14472	dwm.exe
Token: SeIncBasePriorityPrivilege	14472	dwm.exe
Token: SeCreateGlobalPrivilege	13056	dwm.exe
Token: SeChangeNotifyPrivilege	13056	dwm.exe
Token: 33	13056	dwm.exe
Token: SeIncBasePriorityPrivilege	13056	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5632 wrote to memory of 1172	5632	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe	88
PID 5632 wrote to memory of 1172	5632	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe	88
PID 5632 wrote to memory of 1172	5632	2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe	88
PID 380 wrote to memory of 5956	380	cmd.exe	95
PID 380 wrote to memory of 5956	380	cmd.exe	95
PID 380 wrote to memory of 5956	380	cmd.exe	95
PID 3488 wrote to memory of 3944	3488	cmd.exe	96
PID 3488 wrote to memory of 3944	3488	cmd.exe	96
PID 3488 wrote to memory of 3944	3488	cmd.exe	96
PID 1100 wrote to memory of 2904	1100	cmd.exe	97
PID 1100 wrote to memory of 2904	1100	cmd.exe	97
PID 1100 wrote to memory of 2904	1100	cmd.exe	97
PID 5956 wrote to memory of 2836	5956	java.exe	99
PID 5956 wrote to memory of 2836	5956	java.exe	99
PID 5956 wrote to memory of 2836	5956	java.exe	99
PID 5228 wrote to memory of 4212	5228	cmd.exe	107
PID 5228 wrote to memory of 4212	5228	cmd.exe	107
PID 5228 wrote to memory of 4212	5228	cmd.exe	107
PID 3412 wrote to memory of 4424	3412	cmd.exe	108
PID 3412 wrote to memory of 4424	3412	cmd.exe	108
PID 3412 wrote to memory of 4424	3412	cmd.exe	108
PID 5948 wrote to memory of 4548	5948	cmd.exe	109
PID 5948 wrote to memory of 4548	5948	cmd.exe	109
PID 5948 wrote to memory of 4548	5948	cmd.exe	109
PID 5372 wrote to memory of 4564	5372	cmd.exe	111
PID 5372 wrote to memory of 4564	5372	cmd.exe	111
PID 5372 wrote to memory of 4564	5372	cmd.exe	111
PID 4508 wrote to memory of 1788	4508	cmd.exe	117
PID 4508 wrote to memory of 1788	4508	cmd.exe	117
PID 4508 wrote to memory of 1788	4508	cmd.exe	117
PID 4520 wrote to memory of 4792	4520	cmd.exe	120
PID 4520 wrote to memory of 4792	4520	cmd.exe	120
PID 4520 wrote to memory of 4792	4520	cmd.exe	120
PID 4680 wrote to memory of 5232	4680	cmd.exe	121
PID 4680 wrote to memory of 5232	4680	cmd.exe	121
PID 4680 wrote to memory of 5232	4680	cmd.exe	121
PID 4832 wrote to memory of 4860	4832	cmd.exe	126
PID 4832 wrote to memory of 4860	4832	cmd.exe	126
PID 4832 wrote to memory of 4860	4832	cmd.exe	126
PID 1188 wrote to memory of 5032	1188	cmd.exe	131
PID 1188 wrote to memory of 5032	1188	cmd.exe	131
PID 1188 wrote to memory of 5032	1188	cmd.exe	131
PID 5304 wrote to memory of 3936	5304	cmd.exe	132
PID 5304 wrote to memory of 3936	5304	cmd.exe	132
PID 5304 wrote to memory of 3936	5304	cmd.exe	132
PID 720 wrote to memory of 1944	720	cmd.exe	137
PID 720 wrote to memory of 1944	720	cmd.exe	137
PID 720 wrote to memory of 1944	720	cmd.exe	137
PID 1336 wrote to memory of 1484	1336	cmd.exe	140
PID 1336 wrote to memory of 1484	1336	cmd.exe	140
PID 1336 wrote to memory of 1484	1336	cmd.exe	140
PID 5708 wrote to memory of 5696	5708	cmd.exe	143
PID 5708 wrote to memory of 5696	5708	cmd.exe	143
PID 5708 wrote to memory of 5696	5708	cmd.exe	143
PID 1308 wrote to memory of 2500	1308	cmd.exe	146
PID 1308 wrote to memory of 2500	1308	cmd.exe	146
PID 1308 wrote to memory of 2500	1308	cmd.exe	146
PID 2216 wrote to memory of 6112	2216	cmd.exe	149
PID 2216 wrote to memory of 6112	2216	cmd.exe	149
PID 2216 wrote to memory of 6112	2216	cmd.exe	149
PID 468 wrote to memory of 1628	468	cmd.exe	150
PID 468 wrote to memory of 1628	468	cmd.exe	150
PID 468 wrote to memory of 1628	468	cmd.exe	150
PID 3800 wrote to memory of 5272	3800	cmd.exe	155

C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe
"C:\Users\Admin\AppData\Local\Temp\2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 2536
    3⤵
    - Program crash
    PID:18336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5228
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5304
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5708
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3988
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4400
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:908
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2988
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3824
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6360
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6736
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6808
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6856
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7076
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6388
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6584
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7456
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7604
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7780
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7860
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8036
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8416
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8732
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9104
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8584
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9356
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:9896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9868
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9936
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10108
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:10940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:10704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10536
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:11492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11168
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10244
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11588
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11752
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12108
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12124
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12168
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12196
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13104
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13228
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:14212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13196
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14256
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:14984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14580
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14872
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14964

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15108
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16196
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4048
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16432
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:16540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16872
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5956 -ip 5956
1⤵
PID:18316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:18796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18600

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13056

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14952
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6072
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8956
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11464
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H91JNNJV\PUK3R0MJ.htm

Filesize
153KB

MD5
0b772766ca3417e0bed475b3729d2f82

SHA1
b254e43d9598ab591ac9bca886b32fb794bb354a

SHA256
e04ea8cda73c3afe930198a92f688e32da5eb00187a0b0ca78734a36fe798f2c

SHA512
745c76c6bd018c3214aeaad701830483075043cee3149fd7948ba0e38337c087cfb6479d418102103294f51ad0e7f9230ceb41de537c5a5781a5579b0b92f7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsVciwwxod.log

Filesize
288B

MD5
9adead5c4289e80ad018740b16495c51

SHA1
d59aebfa037ae008b9479b0e224b7d08cb1a81b8

SHA256
beb827f45bbc99a484c4f501d7737c7707223b582dfa61c01d4de6daf1734a02

SHA512
6feb7cfa56f75c4aacdd58e8523a19454cb099e26ee680d07b7f2afb7f941b11091ae9cf67e1a29fbec5861556471ad2ab54812acd3f1ec8cadc2d1feb3c8df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AB.tmp

Filesize
29KB

MD5
305402e4df65106f866984be329d135c

SHA1
e45f4520c15b0d192d2931bbf3ea2ea20e7bd2fc

SHA256
96b1ea942dac248ef504f734e0a1d6783c65e110df362a708e0a0a31dea36170

SHA512
71a8fc758b655a69b97cb5ace0ebdb9fda9665f8e0d4eea5ad9da01a73baeac827f5fea02681826657d7eb3c4fd18e476871ed3628a1b9f5d0d059d74bf69e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
424B

MD5
fc0d7bebd515ad2ec1affeddefb8c5a4

SHA1
b33c1a2e6cfe5d2e80e4eb3908a2c06f1cbfd57d

SHA256
0eca9a0bafc7ec1815ea5f88e7879a7acd32c92febda859e90415c970ec4af47

SHA512
12564bc214191f94f802e1843e133ef2ff39907ca0fffd4f9953651d62e4e364c0bfdd1003d1b4bd4fe7e0a8394156e32d4caeb5f955b8557f2073af693ec0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
ac0e8f7d7731cc601e07a47901303b3e

SHA1
2bd119b15ac32ca9d7d3842824e6f7ec60ced7ee

SHA256
eddd5bc9bfba97406bafe20ddaf4e536581dc56a21a4dc02d00ca1cf91dee0e2

SHA512
357317e8f6e9e22ab88a2790f528f357f528754d478908c36ef133b0f20b5ce504efb2910930d49a532d768413498e1b442edb04fb10f84f50d061eb3eb3f1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
897e2bea2d8d40a62db8e6ebb5cedf3c

SHA1
e19e37871063a2e8c277f301dd20813a54140ebe

SHA256
278c1b5350a0b6825b5e60f38bbc483ff48528617bb169fc99cf85d30c85dec6

SHA512
e63b8bae62db79c6eef2aa167a2817666296a2c8d96cd46784fb044ef4ff793fb331ebb17e761c89bec7aa291918768ef7b655d62d563bb40231f94a84b2666a

Download Submit
C:\Windows\java.exe

Filesize
29KB

MD5
4bdf6ff55589f81e261c5f8ce04eddf3

SHA1
920140ce2dedee06b09c9e271e810cb34da5080f

SHA256
2750801e815da91a4cbee9754040cf35c7e768be13044cdf5c39788c7fa08c19

SHA512
3dad6863ec0565613ae13c132d84e2873020395188ab1dbceba06e6eeffb45251c5313a7758f37f662eaa92bb0a4d63c6e1cbc490c6ea6087f7e68cbb617cceb

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1108-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1116-124-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-533-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-506-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-679-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-324-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1512-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1628-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1628-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1788-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-113-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2500-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2836-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2836-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2856-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2904-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2916-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3244-110-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3732-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3936-104-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3944-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4116-114-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4116-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4212-34-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4424-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4460-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4548-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4792-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4804-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4860-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5004-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5032-103-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5180-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5180-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5224-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5232-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5232-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5272-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5396-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5436-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5632-45-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5632-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5696-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5788-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5804-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5820-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5956-50-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5956-509-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5956-669-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5956-534-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5988-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5992-120-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6028-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6028-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6112-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6152-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6176-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6244-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6312-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6348-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6448-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6504-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6512-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6684-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6692-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6728-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6760-199-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6908-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7032-201-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7040-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7124-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7140-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7156-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7248-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7312-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7384-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7468-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7492-250-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7496-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7508-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7532-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7532-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7688-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7700-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7740-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7812-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7980-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7992-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8020-258-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8092-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8152-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8352-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8476-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8520-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8520-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8528-260-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8552-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8572-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8884-252-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/9172-255-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/14928-512-0x00007FF799F10000-0x00007FF799F77000-memory.dmp

Filesize
412KB

Download
memory/17972-654-0x00007FFB4BEC0000-0x00007FFB4C189000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads