mydoom | e56f416db35c4e7102dd82c3768c7c728c74b33e5f64ecfa24d0eae28c5ee3db

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe
Size

28KB
MD5

a91dec5840324ca0f5addff5e33cbbd4
SHA1

1dbba50a8aaedabdb992bbc4b8def8e125ecb477
SHA256

e56f416db35c4e7102dd82c3768c7c728c74b33e5f64ecfa24d0eae28c5ee3db
SHA512

dfb015ee827666499f4702448dc8511dadeb3bfd16f78eb0e575c2d1fd5e140ca216273490e3276188251d87452830562b75b9350e1ab2ca4be4f95b4bf19590
SSDEEP

384:1WxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN+Hx:yv8IRRdsxq1DjJcqf7x

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/4904-33-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2844-46-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4636-56-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4636-538-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4636-564-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4636-687-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
6136	services.exe
4636	java.exe
4740	services.exe
904	services.exe
1172	services.exe
4904	java.exe
4892	services.exe
4800	services.exe
1412	services.exe
4916	services.exe
4108	services.exe
5640	services.exe
2076	services.exe
2812	services.exe
884	services.exe
3492	services.exe
5496	services.exe
2408	services.exe
5212	services.exe
4036	services.exe
3204	services.exe
604	services.exe
5800	services.exe
5788	services.exe
2036	services.exe
2308	services.exe
2240	services.exe
2384	services.exe
4184	services.exe
5848	services.exe
4912	services.exe
4980	services.exe
4292	services.exe
676	services.exe
4252	services.exe
6004	services.exe
2244	services.exe
2196	services.exe
1432	services.exe
1804	services.exe
6160	services.exe
6248	services.exe
6332	services.exe
6400	services.exe
6472	services.exe
6492	services.exe
6596	services.exe
6664	services.exe
6752	services.exe
6868	services.exe
6988	services.exe
6996	services.exe
7004	services.exe
7100	services.exe
7148	services.exe
6796	services.exe
6524	services.exe
7280	services.exe
7288	services.exe
7360	services.exe
7392	services.exe
7416	services.exe
7436	services.exe
7612	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2844-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/6136-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x001a000000023edc-4.dat	upx
behavioral1/files/0x000e00000002405f-14.dat	upx
behavioral1/memory/4740-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4904-33-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/4800-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4892-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4916-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2844-46-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/4108-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6136-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5640-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4636-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/904-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4740-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3492-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1172-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5496-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4892-78-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4800-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1412-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4916-92-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5212-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3204-99-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4108-98-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5640-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2812-109-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5800-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2076-107-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/884-116-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2036-117-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-124-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5496-123-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-127-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5212-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5848-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4036-135-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4912-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/604-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4292-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5788-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5800-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/676-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2308-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2240-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2384-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4184-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1804-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6160-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6248-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4980-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6332-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4292-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6400-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4252-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2244-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6004-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6472-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6596-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6664-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2196-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6752-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe
File created	C:\Windows\java.exe	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6912	2844	WerFault.exe	86
10400	4636	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15876	dwm.exe
Token: SeChangeNotifyPrivilege	15876	dwm.exe
Token: 33	15876	dwm.exe
Token: SeIncBasePriorityPrivilege	15876	dwm.exe
Token: SeShutdownPrivilege	15876	dwm.exe
Token: SeCreatePagefilePrivilege	15876	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 6136	2844	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe	87
PID 2844 wrote to memory of 6136	2844	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe	87
PID 2844 wrote to memory of 6136	2844	JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe	87
PID 5584 wrote to memory of 4636	5584	cmd.exe	94
PID 5584 wrote to memory of 4636	5584	cmd.exe	94
PID 5584 wrote to memory of 4636	5584	cmd.exe	94
PID 4636 wrote to memory of 4740	4636	java.exe	95
PID 4636 wrote to memory of 4740	4636	java.exe	95
PID 4636 wrote to memory of 4740	4636	java.exe	95
PID 2644 wrote to memory of 904	2644	cmd.exe	96
PID 2644 wrote to memory of 904	2644	cmd.exe	96
PID 2644 wrote to memory of 904	2644	cmd.exe	96
PID 1500 wrote to memory of 1172	1500	cmd.exe	103
PID 1500 wrote to memory of 1172	1500	cmd.exe	103
PID 1500 wrote to memory of 1172	1500	cmd.exe	103
PID 4860 wrote to memory of 4904	4860	cmd.exe	106
PID 4860 wrote to memory of 4904	4860	cmd.exe	106
PID 4860 wrote to memory of 4904	4860	cmd.exe	106
PID 4988 wrote to memory of 4892	4988	cmd.exe	107
PID 4988 wrote to memory of 4892	4988	cmd.exe	107
PID 4988 wrote to memory of 4892	4988	cmd.exe	107
PID 5828 wrote to memory of 4800	5828	cmd.exe	108
PID 5828 wrote to memory of 4800	5828	cmd.exe	108
PID 5828 wrote to memory of 4800	5828	cmd.exe	108
PID 3600 wrote to memory of 1412	3600	cmd.exe	112
PID 3600 wrote to memory of 1412	3600	cmd.exe	112
PID 3600 wrote to memory of 1412	3600	cmd.exe	112
PID 4304 wrote to memory of 4916	4304	cmd.exe	116
PID 4304 wrote to memory of 4916	4304	cmd.exe	116
PID 4304 wrote to memory of 4916	4304	cmd.exe	116
PID 1068 wrote to memory of 4108	1068	cmd.exe	119
PID 1068 wrote to memory of 4108	1068	cmd.exe	119
PID 1068 wrote to memory of 4108	1068	cmd.exe	119
PID 2548 wrote to memory of 5640	2548	cmd.exe	122
PID 2548 wrote to memory of 5640	2548	cmd.exe	122
PID 2548 wrote to memory of 5640	2548	cmd.exe	122
PID 4056 wrote to memory of 2076	4056	cmd.exe	125
PID 4056 wrote to memory of 2076	4056	cmd.exe	125
PID 4056 wrote to memory of 2076	4056	cmd.exe	125
PID 3884 wrote to memory of 2812	3884	cmd.exe	126
PID 3884 wrote to memory of 2812	3884	cmd.exe	126
PID 3884 wrote to memory of 2812	3884	cmd.exe	126
PID 5060 wrote to memory of 884	5060	cmd.exe	133
PID 5060 wrote to memory of 884	5060	cmd.exe	133
PID 5060 wrote to memory of 884	5060	cmd.exe	133
PID 3040 wrote to memory of 3492	3040	cmd.exe	134
PID 3040 wrote to memory of 3492	3040	cmd.exe	134
PID 3040 wrote to memory of 3492	3040	cmd.exe	134
PID 5756 wrote to memory of 5496	5756	cmd.exe	139
PID 5756 wrote to memory of 5496	5756	cmd.exe	139
PID 5756 wrote to memory of 5496	5756	cmd.exe	139
PID 6076 wrote to memory of 2408	6076	cmd.exe	142
PID 6076 wrote to memory of 2408	6076	cmd.exe	142
PID 6076 wrote to memory of 2408	6076	cmd.exe	142
PID 2080 wrote to memory of 5212	2080	cmd.exe	145
PID 2080 wrote to memory of 5212	2080	cmd.exe	145
PID 2080 wrote to memory of 5212	2080	cmd.exe	145
PID 2688 wrote to memory of 4036	2688	cmd.exe	147
PID 2688 wrote to memory of 4036	2688	cmd.exe	147
PID 2688 wrote to memory of 4036	2688	cmd.exe	147
PID 4240 wrote to memory of 3204	4240	cmd.exe	151
PID 4240 wrote to memory of 3204	4240	cmd.exe	151
PID 4240 wrote to memory of 3204	4240	cmd.exe	151
PID 5088 wrote to memory of 604	5088	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a91dec5840324ca0f5addff5e33cbbd4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2976
  2⤵
  - Program crash
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 4348
    3⤵
    - Program crash
    PID:10400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6076
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2472
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4356
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2796
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6288
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6648
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6728
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6512
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7560
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7900
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8044
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8072
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8392
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8580
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9156
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9300
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9752
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9912
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9968
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:10456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10308
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:11152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10532
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10640
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11124
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11240
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11252
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4976
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10916
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11408
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12068
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:12660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12252
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12408
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12752
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12768
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:13360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13196
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12780
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13460
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13860
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13976
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:15032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16504

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16532
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16648
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17140
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17148
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17968
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18204
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18952
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:19400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20048
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:20420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14952
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:432
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5292
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9956
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12284
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15124
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4636 -ip 4636
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2844 -ip 2844
1⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14736
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20036

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MHD417D2\default[3].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\results[1].htm

Filesize
1KB

MD5
7278e4ff28ec60fea50a08ab6a8736ea

SHA1
fa2f4fe5d79a8fe1395457c5dda20977c90a9195

SHA256
ebb0f059505efe92997be0ccba6bc8dc52c513ab40165b7b1f8d186f1eaa6c44

SHA512
dcedfae46385c12977bd6bedd83fe17bd03be79b23c74b3bfa6e93bcbc364657901246d5e85e6e4060bc3caaf61f4ecfd25255150553be086f81bea2d29d1465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsVciwwxod.log

Filesize
1KB

MD5
6685c2c13c289ab0f1db4e421e595ff9

SHA1
1ffc2e10cca4f1e100a873144588198bdd5e2f9a

SHA256
bda4a7d3c0462a140bed0922eea2116ce1aba0bcd97fb8ecc90615641cd5848a

SHA512
df7b366202c0ff9b967171528bbfd0c6bc05d83fca26860debe3fdd1c77487f2963ed06d4c1729a2795c494a4a1b98d1765ac7363f079ae15eda8163e59260a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsVciwwxod.log

Filesize
1KB

MD5
53b27d1d1a180150f36f123831350e2d

SHA1
bc693e6829bd4ca25d1be70d04c8a3357a0b0b9f

SHA256
fdab1a189d7d675e6a48eef6a7c6ce11dd2d938f7917f1498e6ff85b04db2037

SHA512
3c1630a8cda9e8c79ab999b6304f02059a73640631b18dfefb929700104412423642663ec13a1a4eeff8c68736c36bcd59d70d058a93384ca6d99cd883f042da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE33C.tmp

Filesize
28KB

MD5
9b61823302a70c133cf0dde17f0ac450

SHA1
6b6ef4c840d5cdeb5a18c0a3df02954e9cfa80a2

SHA256
67b1a0729b63cec32625088f50ed15e896d4fe3e1d7648249a53211294511a39

SHA512
55efd1e45d13caa4b13726d8ca1eacdb84b3c8c41e8f893a9ef991829b3ae0024e13071aab8f2640f87b007c4668dd0a7e22c1f671e9f22c0af0d6676d66bfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2dcafcbbc13c805b2882950aecb1c6a4

SHA1
c0a74502ba0ad9659771a32f7d6816fd9bb116fc

SHA256
fb4a25d43ae6dbe8360c78c10bb1b63b91450a3ec69d486589d65c560481e281

SHA512
f7661d2e8a602466e853dec129773273305c9b5e7abd07070c0aab0d05f756e1c28a760829d2a8279f50a116f1182af793ef3b4c53bbea64b9f7de664f76b77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
32B

MD5
133248ae68753e37be28c0dbe35cfb9d

SHA1
b2b2cedfb7693b891ce4f2c87626bfa4ef156acc

SHA256
2fcea6641956a3f0980c989fb32a1b62bc1c12f1c102746d7b1d7ac17ffaca91

SHA512
e6756864d074b792c590c44bfcbc85a1d5006eb34de8d5dc40632c226649da8ba9bbb16281c6f1da1d06d6ec27c6f977063afde874accfb8efadb6e9e7c1311e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0bc378053e08aeeefcac32ce66b2bfc0

SHA1
bd8db80b49a91602e4e630f57c3e45a261e46d3e

SHA256
0440dac30fbf9675d6f121f65d1a6daa5cc45435ed439a16e795e58ae51a72ea

SHA512
6e1d6eb4039300beceadcb7900ac383e3c05d0c61ef9b0b1c0fbe1939b73606315a79572a1d89bdc37764bf7c734d8e969e3a57bfa07dff31543ac1002c4a196

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
a91dec5840324ca0f5addff5e33cbbd4

SHA1
1dbba50a8aaedabdb992bbc4b8def8e125ecb477

SHA256
e56f416db35c4e7102dd82c3768c7c728c74b33e5f64ecfa24d0eae28c5ee3db

SHA512
dfb015ee827666499f4702448dc8511dadeb3bfd16f78eb0e575c2d1fd5e140ca216273490e3276188251d87452830562b75b9350e1ab2ca4be4f95b4bf19590

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/604-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/676-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/884-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/904-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1172-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1412-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1432-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1804-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2036-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2076-107-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2196-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-124-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2244-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2308-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2384-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2408-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2408-127-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-109-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2844-46-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2844-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3204-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3492-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4036-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4108-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4108-98-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4252-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4292-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4292-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4636-564-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4636-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4636-687-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4636-538-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4740-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4740-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4904-33-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4912-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4916-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4916-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4980-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5212-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5212-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5496-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5496-123-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5640-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5640-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5788-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5800-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5800-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5848-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6004-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-537-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-324-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-563-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-686-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6136-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6160-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6248-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6248-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6332-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6400-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6472-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6492-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6524-201-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6596-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6664-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6752-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6796-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6868-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6868-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6988-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6996-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6996-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7004-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7004-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7100-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7148-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7280-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7288-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7288-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7360-232-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7392-234-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7392-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7416-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7416-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7436-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7436-238-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7612-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7852-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7860-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7880-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7908-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7920-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8268-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8288-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8320-242-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8400-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/13552-524-0x00007FFC673B0000-0x00007FFC6744E000-memory.dmp

Filesize
632KB

Download
memory/14388-518-0x00007FF6FB180000-0x00007FF6FB1E7000-memory.dmp

Filesize
412KB

Download
memory/15128-535-0x00007FF6FB180000-0x00007FF6FB1E7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads