chimera | 3b19486b4e14b206ec8ab2602ec6a430f9fce7ef40247b1e1f4c6f004ee468b4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe \"C:\\Windows\\Fonts\\wmsncs.exe\""	wmsncs.exe

Modifies firewall policy service 3 TTPs 8 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	wmsncs.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	wmsncs.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	wmsncs.exe

Windows security bypass 2 TTPs 5 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmsncs.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Swift.exe

Renames multiple (3284) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3256	powershell.exe
1408	powershell.exe
564	powershell.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
67	2784	Swift.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe
141	2012	chrome.exe

Looks for VMWare Tools registry key 2 TTPs 64 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	wmsncs.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
4584	netsh.exe
4272	netsh.exe
2620	netsh.exe
2136	netsh.exe
4452	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Swift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Swift.exe

Executes dropped EXE 64 IoCs

pid	Process
1760	update.exe
4032	QuikNEZUpdater.exe
2848	Apex.exe
5164	Rahack.exe
2060	HawkEye.exe
2452	Rahack.exe
4648	Kobalc.exe
228	wmsncs.exe
5984	ZippedFiles.a.exe
6064	wmsncs.exe
2512	wmsncs.exe
5928	wmsncs.exe
1380	wmsncs.exe
3048	wmsncs.exe
3168	wmsncs.exe
2912	wmsncs.exe
1868	wmsncs.exe
4460	wmsncs.exe
4528	wmsncs.exe
1268	wmsncs.exe
3232	wmsncs.exe
5632	wmsncs.exe
1840	wmsncs.exe
3972	wmsncs.exe
4200	wmsncs.exe
1868	wmsncs.exe
1092	wmsncs.exe
6888	wmsncs.exe
7068	wmsncs.exe
6200	wmsncs.exe
2780	wmsncs.exe
6748	wmsncs.exe
6816	wmsncs.exe
4136	wmsncs.exe
6912	wmsncs.exe
6924	wmsncs.exe
3768	wmsncs.exe
6908	wmsncs.exe
6564	wmsncs.exe
6612	wmsncs.exe
5640	wmsncs.exe
6280	wmsncs.exe
6744	wmsncs.exe
4776	wmsncs.exe
6736	wmsncs.exe
5876	wmsncs.exe
4880	wmsncs.exe
2220	wmsncs.exe
5136	wmsncs.exe
6292	wmsncs.exe
6492	wmsncs.exe
2620	wmsncs.exe
6440	wmsncs.exe
1788	wmsncs.exe
3352	wmsncs.exe
4976	wmsncs.exe
2352	wmsncs.exe
6948	wmsncs.exe
2128	wmsncs.exe
5092	wmsncs.exe
5776	wmsncs.exe
6208	wmsncs.exe
5924	wmsncs.exe
4936	wmsncs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2784-0-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-2-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-5-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-6-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-7-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-288-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-316-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-1079-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-1092-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2784-1572-0x0000000140000000-0x00000001437AD000-memory.dmp	themida

Windows security modification 2 TTPs 5 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmsncs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmsncs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Swift.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
141	raw.githubusercontent.com
177	camo.githubusercontent.com
193	raw.githubusercontent.com
140	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
196	bot.whatismyipaddress.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.XLS	ZippedFiles.a.exe
File created	C:\WINDOWS\SysWOW64\RASCTRNM.H	ZippedFiles.a.exe
File opened for modification	C:\Windows\system32\spool\drivers\wmsncs.exe	wmsncs.exe
File created	C:\Windows\SysWOW64\wins\wmsncs.exe	wmsncs.exe
File created	C:\Windows\SysWOW64\ZippedFiles.a.exe	ZippedFiles.a.exe
File created	C:\Windows\system32\spool\drivers\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\SysWOW64\wins\wmsncs.exe	wmsncs.exe
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.DOC	ZippedFiles.a.exe
File created	C:\WINDOWS\SysWOW64\MSDRM\MSOIRMPROTECTOR.PPT	ZippedFiles.a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2784	Swift.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\PublishComplete.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_unselected_18.svg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons2x.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_pdf_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\plugin.js	HawkEye.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\ASPNET_STATE_PERF.H	ZippedFiles.a.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-T..RVICES-PERFCOUNTERS_31BF3856AD364E35_10.0.19041.1266_NONE_BF97C5D5F86E2A8C\TSLABELS.H	ZippedFiles.a.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1972681729\hyph-or.hyb	msedgewebview2.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1972681729\_metadata\verified_contents.json	msedgewebview2.exe
File created	C:\WINDOWS\INF\.NET CLR NETWORKING 4.0.0.0\_NETWORKINGPERFCOUNTERS.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-IIS-METABASE_31BF3856AD364E35_10.0.19041.906_NONE_1756861D80A1F0F5\INFOCTRS.H	ZippedFiles.a.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1972681729\hyph-ta.hyb	msedgewebview2.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.746_NONE_EBC47B06544BFAAB\MSOIRMPROTECTOR.DOC	ZippedFiles.a.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1972681729\hyph-cy.hyb	msedgewebview2.exe
File created	C:\WINDOWS\INF\.NET CLR NETWORKING\_NETWORKINGPERFCOUNTERS_V2.H	ZippedFiles.a.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1636499516\manifest.fingerprint	msedgewebview2.exe
File created	C:\WINDOWS\WINSXS\AMD64_MICROSOFT-WINDOWS-TAPICORE_31BF3856AD364E35_10.0.19041.3636_NONE_58D16F4DFBEB0E8D\PERFCTR.H	ZippedFiles.a.exe
File created	C:\WINDOWS\WINSXS\AMD64_WINDOWSSEARCHENGINE_31BF3856AD364E35_7.0.19041.4355_NONE_EC3CCC74029E72BD\IDXCNTRS.H	ZippedFiles.a.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4376_1972681729\hyph-nl.hyb	msedgewebview2.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File created	C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-R..T-OFFICE-PROTECTORS_31BF3856AD364E35_10.0.19041.3636_NONE_8CB7714FDF31EC17\MSOIRMPROTECTOR.XLS	ZippedFiles.a.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File created	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Kobalc.exe
File created	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	wmsncs.exe
File opened for modification	C:\Windows\Fonts\wmsncs.exe	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rahack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmsncs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "450203108"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b2d5ad73d1ddf409acf4becd527684400000000020000000000106600000001000020000000aa7a44968ab0863520fa3815a243ac7d020e998347382a192453f4d6011fe855000000000e8000000002000020000000d7b77a8e76934d7ea448657c7069a0eceb23bf333349461053160c8ccb461c2420000000cdac67901ba4e730c753131eae4c492633b017e3930bdddd17407a5448ed924840000000966594c8da5dc47cdd9dfd6e3edf53b20a6db26727c27d956fe5b87369856c8b68adec763afd94dc1902d4c00505cae7e3272bd7cb421800968902d0d60ec8f5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b2d5ad73d1ddf409acf4becd527684400000000020000000000106600000001000020000000ec4a7cb807661abe600474bea963612ff09b9e634d4da7c9b9a1819aef9d5542000000000e8000000002000020000000c31294a2fdabc924c1a2f8c23253c3370d1606f606e0f7b9558367c7d6c3c4fe2000000025c063cd51afb9021cf3aa5b5643ffa9b14035370f361a35caa490cbe5c926e44000000091231cef79e3231f920159a30e9ba3f69ad177bec10fccbcdac0651818dceb96fdc0d28928dc4f790bbdea4ddbd8bb650c3157d03070c12263908a543d328782	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4DEAD121-0E4C-11F0-A742-7A3B0B0AAC69} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e070a12f59a2db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004e9f2f59a2db01	iexplore.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534"	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wmsncs.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter = "C:\\Program Files (x86)\\Common Files\\System\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wins Service = "C:\\Windows\\system32\\wins\\wmsncs.exe"	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service = "C:\\Windows\\system32\\spool\\drivers\\wmsncs.exe"	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wmsncs.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879114458242995"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wmsncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components	wmsncs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath = "C:\\Windows\\Fonts\\wmsncs.exe"	wmsncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534"	wmsncs.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
1196	chrome.exe
1196	chrome.exe
2856	chrome.exe
2856	chrome.exe
5536	msedgewebview2.exe
5536	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
4376	msedgewebview2.exe
1196	chrome.exe
1196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
2784	Swift.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2848	Apex.exe
6332	iexplore.exe
6332	iexplore.exe
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3180	1196	chrome.exe	85
PID 1196 wrote to memory of 3180	1196	chrome.exe	85
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 1716	1196	chrome.exe	86
PID 1196 wrote to memory of 2012	1196	chrome.exe	87
PID 1196 wrote to memory of 2012	1196	chrome.exe	87
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88
PID 1196 wrote to memory of 3696	1196	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
1⤵
- Chimera
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Scripts.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Scripts'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Workspace.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Workspace'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\AutoExec.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\AutoExec'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --enable-features=RemoveRedirectionBitmap --lang=en-US --mojo-named-platform-channel-pipe=2784.3700.6014682427365139521
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4376
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\swift\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x18c,0x190,0x194,0x168,0x19c,0x7ffd9e31b078,0x7ffd9e31b084,0x7ffd9e31b090
    3⤵
    PID:1700
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1800,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1796 /prefetch:2
    3⤵
    PID:1088
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1852,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    PID:5228
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2364,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:8
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3552,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4736,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    PID:1488
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4816,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=776 /prefetch:8
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4792,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5536
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4324,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
    3⤵
    PID:3816
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4312,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
    3⤵
    PID:2888
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2248,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1236,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
    3⤵
    PID:1976
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4776,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=356,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4296,i,16175193691003329193,9734223116601052152,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
    3⤵
    PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffdaf23dcf8,0x7ffdaf23dd04,0x7ffdaf23dd10
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2008,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2240,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4224 /prefetch:2
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4884,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5524,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5196,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5624,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5220,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5796,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5884,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5148,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=904,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5808,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6148,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=504 /prefetch:8
  2⤵
  PID:796
- C:\Users\Admin\Downloads\update.exe
  "C:\Users\Admin\Downloads\update.exe"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\Downloads\QuikNEZUpdater.exe
  "C:\Users\Admin\Downloads\QuikNEZUpdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Users\Admin\Downloads\Apex.exe
  "C:\Users\Admin\Downloads\Apex.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6300,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5908,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6344,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5968,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6392,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6424,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6152,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6084,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5532,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6412,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6388,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6484,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:220
- C:\Users\Admin\Downloads\Rahack.exe
  "C:\Users\Admin\Downloads\Rahack.exe"
  2⤵
  - Executes dropped EXE
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6500,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6476,i,5876876863000709871,17128632092170061966,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:640
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:2060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:6332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6332 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1204
- C:\Users\Admin\Downloads\Rahack.exe
  "C:\Users\Admin\Downloads\Rahack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Users\Admin\Downloads\Kobalc.exe
  "C:\Users\Admin\Downloads\Kobalc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4648
- C:\Users\Admin\Downloads\ZippedFiles.a.exe
  "C:\Users\Admin\Downloads\ZippedFiles.a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:5984

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2272

C:\Windows\Fonts\wmsncs.exe
"C:\Windows\Fonts\wmsncs.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:228
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4584
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT1
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4272
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT2
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2620
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2136
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3768
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2340
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1868
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4264
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5736
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5620
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3888
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1408
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5744
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:400
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2968
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:856
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6040
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:440
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:968
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5876
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3640
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1348
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5040
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4676
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2008
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2272
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6332
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3708
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6496
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6560
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2664
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2080
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1360
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2896
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6872
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7156
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6816
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4176
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2564
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6012
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6236
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4512
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5140
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1152
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6244
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3388
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1408
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2980
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5912
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3708
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6748
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5904
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5564
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5240
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2756
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:344
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:6208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6052
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4980
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5068
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2424
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Executes dropped EXE
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6168
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7100
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2968
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6364
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1184
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2040
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3048
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4936
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6104
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6552
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3232
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5508
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:408
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6204
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1752
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6344
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7004
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5472
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2620
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3708
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1980
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4148
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6876
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6840
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - System Location Discovery: System Language Discovery
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7028
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6748
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6772
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6488
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3044
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5752
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6768
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6176
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5480
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:556
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6504
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6600
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5472
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2664
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5092
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3172
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5508
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5700
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - Drops file in Windows directory
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6420
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:856
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6720
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6484
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6740
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3388
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6352
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6160
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5452
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6640
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1612
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:444
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - System Location Discovery: System Language Discovery
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6696
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4976
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6456
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6316
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6248
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1276
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4588
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4164
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2064
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5756
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2196
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3252
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6776
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4272
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4164
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4996
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1444
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6052
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6996
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6484
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5116
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7140
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6416
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6972
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2828
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:984
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1752
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4960
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2572
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4956
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6196
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3092
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3392
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - System Location Discovery: System Language Discovery
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4880
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - System Location Discovery: System Language Discovery
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6192
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:876
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5756
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4200
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5524
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6968
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5564
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6800
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1444
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:856
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4608
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6288
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6704
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5052
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6540
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6640
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2316
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2340
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6592
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6668
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6344
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5724
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:7076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4200
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7080
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5264
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5188
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3388
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6800
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6288
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6416
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2872
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4996
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5024
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4628
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3708
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6020
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6508
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6532
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3008
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5608
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6172
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4472
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4076
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6628
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6196
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6932
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6876
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7048
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2132
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5296
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2896
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6012
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6372
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5020
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4588
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1608
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4184
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:64
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7044
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1200
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2828
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6596
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:188
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4932
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4636
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5456
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6932
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6316
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6792
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5012
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1684
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4288
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4148
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6668
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5844
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2040
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4500
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5316
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5904
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6836
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1272
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5552
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2536
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5608
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6620
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4340
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6260
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4576
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:7164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6068
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1128
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3756
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6116
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6400
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2676
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6012
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6448
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5996
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5716
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5528
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4448
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:876
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4112
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6224
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6500
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5484
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6888
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5680
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2276
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6392
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6544
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5112
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2324
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1304
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6484
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:1840
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4636
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2144
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7152
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7120
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4024
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4684
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1180
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2872
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4456
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5860
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2548
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4932
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6188
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6820
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2900
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2968
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3392
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6328
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3188
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6324
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7040
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4264
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Drops file in Windows directory
  PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6408
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6512
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6740
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3392
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6868
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6624
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1840
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5636
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6372
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6532
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4940
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:7004
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5036
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4024
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6632
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:5368
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:6012
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4204
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2064
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2864
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:5020
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:1540
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6296
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:7132
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3040
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2940
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6624
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Looks for VMWare Tools registry key
  - System Location Discovery: System Language Discovery
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6224
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2924
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4112
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6432
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:4668
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:4296
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:3232
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2484
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:3992
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2848
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2884
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2604
- C:\Windows\Fonts\wmsncs.exe
  C:\Windows\Fonts\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:6484
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\spool\drivers\wmsncs.exe
1⤵
PID:2756
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4680
- C:\Windows\system32\spool\drivers\wmsncs.exe
  C:\Windows\system32\spool\drivers\wmsncs.exe
  2⤵
  PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\wins\wmsncs.exe
1⤵
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\wmsncs.exe
1⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Common Files\System\wmsncs.exe
1⤵
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion