mydoom | 9d337f372a9b5cc08139e0861a7774fcf3e8e195b3f321d71509bb6dabf465ea

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe
Size

28KB
MD5

ac9de33348ccd7b3972f40e6da403ee4
SHA1

44d2884489f9aa23192d14b8d406d7e47eef3162
SHA256

9d337f372a9b5cc08139e0861a7774fcf3e8e195b3f321d71509bb6dabf465ea
SHA512

b9059ba7195e0eff87c9fff301d2746dfdbc5e6f3668a3aba4c31f13d472f5a73c63715288a0708fd22d6c6c06fc4f351a54c033ea1eadb3b6049880414232c0
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNap:Dv8IRRdsxq1DjJcqfrp

Score

10^/10

mydoom microsoft discovery persistence phishing product:outlook upx worm

Malware Config

Signatures

Detected microsoft outlook phishing page 1 IoCs

phishing microsoft product:outlook

flow	pid	Process
125	2208	java.exe

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral1/memory/4712-37-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2440-44-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2208-54-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2208-545-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2208-569-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
5860	services.exe
2208	java.exe
1092	services.exe
4588	services.exe
4776	services.exe
2408	services.exe
1696	services.exe
4712	java.exe
4908	services.exe
5216	services.exe
1104	services.exe
4824	services.exe
932	services.exe
2948	services.exe
3736	services.exe
2364	services.exe
3752	services.exe
1480	services.exe
5184	services.exe
2828	services.exe
4388	services.exe
3560	services.exe
4200	services.exe
3248	services.exe
3632	services.exe
1152	services.exe
3980	services.exe
224	services.exe
3532	services.exe
5260	services.exe
3948	services.exe
4464	services.exe
4876	services.exe
5588	services.exe
3700	services.exe
6132	services.exe
1576	services.exe
5928	services.exe
4536	services.exe
5664	services.exe
4764	services.exe
2040	services.exe
6264	services.exe
6348	services.exe
6404	services.exe
6496	services.exe
6668	services.exe
6772	services.exe
6788	services.exe
6864	services.exe
6900	services.exe
7072	services.exe
7092	services.exe
7080	services.exe
7104	services.exe
6284	services.exe
7160	services.exe
7240	services.exe
7396	services.exe
7480	services.exe
7488	services.exe
7496	services.exe
7504	services.exe
7548	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0008000000024263-4.dat	upx
behavioral1/memory/5860-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000024267-14.dat	upx
behavioral1/memory/4712-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/4908-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5216-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2440-44-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1104-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5860-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/4588-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1092-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4776-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4388-90-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4824-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1104-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2828-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5216-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4200-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/932-100-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3248-105-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3736-107-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-111-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1480-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/224-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3980-117-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3752-116-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5184-125-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5260-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4388-135-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3948-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3560-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3632-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6132-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1152-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1576-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3532-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/224-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4464-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2040-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4876-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6348-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5588-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3700-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6496-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1576-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6668-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4536-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6864-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4764-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5664-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6772-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5928-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2040-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/7092-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/7104-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6404-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6264-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6496-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/7240-192-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6900-197-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe
File created	C:\Windows\java.exe	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10568	2208	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	16628	dwm.exe
Token: SeChangeNotifyPrivilege	16628	dwm.exe
Token: 33	16628	dwm.exe
Token: SeIncBasePriorityPrivilege	16628	dwm.exe
Token: SeShutdownPrivilege	16628	dwm.exe
Token: SeCreatePagefilePrivilege	16628	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 5860	2440	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe	87
PID 2440 wrote to memory of 5860	2440	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe	87
PID 2440 wrote to memory of 5860	2440	JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe	87
PID 3260 wrote to memory of 2208	3260	cmd.exe	94
PID 3260 wrote to memory of 2208	3260	cmd.exe	94
PID 3260 wrote to memory of 2208	3260	cmd.exe	94
PID 2208 wrote to memory of 1092	2208	java.exe	95
PID 2208 wrote to memory of 1092	2208	java.exe	95
PID 2208 wrote to memory of 1092	2208	java.exe	95
PID 4988 wrote to memory of 4588	4988	cmd.exe	100
PID 4988 wrote to memory of 4588	4988	cmd.exe	100
PID 4988 wrote to memory of 4588	4988	cmd.exe	100
PID 764 wrote to memory of 4776	764	cmd.exe	101
PID 764 wrote to memory of 4776	764	cmd.exe	101
PID 764 wrote to memory of 4776	764	cmd.exe	101
PID 4476 wrote to memory of 2408	4476	cmd.exe	107
PID 4476 wrote to memory of 2408	4476	cmd.exe	107
PID 4476 wrote to memory of 2408	4476	cmd.exe	107
PID 4644 wrote to memory of 1696	4644	cmd.exe	108
PID 4644 wrote to memory of 1696	4644	cmd.exe	108
PID 4644 wrote to memory of 1696	4644	cmd.exe	108
PID 4452 wrote to memory of 4712	4452	cmd.exe	111
PID 4452 wrote to memory of 4712	4452	cmd.exe	111
PID 4452 wrote to memory of 4712	4452	cmd.exe	111
PID 1052 wrote to memory of 4908	1052	cmd.exe	114
PID 1052 wrote to memory of 4908	1052	cmd.exe	114
PID 1052 wrote to memory of 4908	1052	cmd.exe	114
PID 1992 wrote to memory of 5216	1992	cmd.exe	118
PID 1992 wrote to memory of 5216	1992	cmd.exe	118
PID 1992 wrote to memory of 5216	1992	cmd.exe	118
PID 4844 wrote to memory of 1104	4844	cmd.exe	121
PID 4844 wrote to memory of 1104	4844	cmd.exe	121
PID 4844 wrote to memory of 1104	4844	cmd.exe	121
PID 1164 wrote to memory of 4824	1164	cmd.exe	123
PID 1164 wrote to memory of 4824	1164	cmd.exe	123
PID 1164 wrote to memory of 4824	1164	cmd.exe	123
PID 4604 wrote to memory of 932	4604	cmd.exe	125
PID 4604 wrote to memory of 932	4604	cmd.exe	125
PID 4604 wrote to memory of 932	4604	cmd.exe	125
PID 4600 wrote to memory of 2948	4600	cmd.exe	127
PID 4600 wrote to memory of 2948	4600	cmd.exe	127
PID 4600 wrote to memory of 2948	4600	cmd.exe	127
PID 876 wrote to memory of 3736	876	cmd.exe	133
PID 876 wrote to memory of 3736	876	cmd.exe	133
PID 876 wrote to memory of 3736	876	cmd.exe	133
PID 4000 wrote to memory of 2364	4000	cmd.exe	136
PID 4000 wrote to memory of 2364	4000	cmd.exe	136
PID 4000 wrote to memory of 2364	4000	cmd.exe	136
PID 1904 wrote to memory of 3752	1904	cmd.exe	137
PID 1904 wrote to memory of 3752	1904	cmd.exe	137
PID 1904 wrote to memory of 3752	1904	cmd.exe	137
PID 1188 wrote to memory of 1480	1188	cmd.exe	138
PID 1188 wrote to memory of 1480	1188	cmd.exe	138
PID 1188 wrote to memory of 1480	1188	cmd.exe	138
PID 1160 wrote to memory of 5184	1160	cmd.exe	147
PID 1160 wrote to memory of 5184	1160	cmd.exe	147
PID 1160 wrote to memory of 5184	1160	cmd.exe	147
PID 3184 wrote to memory of 2828	3184	cmd.exe	150
PID 3184 wrote to memory of 2828	3184	cmd.exe	150
PID 3184 wrote to memory of 2828	3184	cmd.exe	150
PID 2384 wrote to memory of 4388	2384	cmd.exe	152
PID 2384 wrote to memory of 4388	2384	cmd.exe	152
PID 2384 wrote to memory of 4388	2384	cmd.exe	152
PID 4280 wrote to memory of 3560	4280	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac9de33348ccd7b3972f40e6da403ee4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Detected microsoft outlook phishing page
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 3668
    3⤵
    - Program crash
    PID:10568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2224
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3756
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:808
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5532
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:760
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5940
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4552
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6236
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6544
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7140
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6248
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7156
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7648
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7656
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8212
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8264
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8844
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:9348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8968
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8504
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8244
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9424
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:10144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10072
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9304
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10264
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10648
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10964
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11108
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11468
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11868
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12116
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12236
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2824
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12440
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12580
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12924
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13104
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13228
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12044
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13444
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:14840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13456
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14464
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14904
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:15116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15128
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15312
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14148
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13400
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16112

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:16628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17772
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18076
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18336
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12224
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:20396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1124
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:20100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8408
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:10108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:228
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2208 -ip 2208
1⤵
PID:16884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:19820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11924

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\results[2].htm

Filesize
1KB

MD5
23c80875746a4681a49ac6fe4d3e66a0

SHA1
c82c5ba93d49d6279a3ca43ad321f79c188b4679

SHA256
d666bdb067d011a430abcabdc007fd93724bdeb4933196a07b9661ae04a9c3ee

SHA512
15bfb1576ec56c0404926055f438132027bf1e33b8de9ea1af6ee4c879a099db4a44b3c4e7b95d644e587e8313e82f789ad35d3bc89b7b54235f465d1b1190ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\search[2].htm

Filesize
119KB

MD5
64657b2cd479f61515004258c227dc44

SHA1
8994646b8378527280adfe53f9a4abe5d56b6030

SHA256
2eeecee39f7316e17f265ba41ff58557d4409e1305e17939e1f539d939f8cb34

SHA512
30810151b1c24b0b183b907ae61e588e08105b01e7f4337f97e40a1b9397db63566b90759995fc91e94f3934581284a0ea8bb8fdd23581e2ed81ffe213792fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\search[4].htm

Filesize
116KB

MD5
6660de0df9e06075a30019092388c660

SHA1
02c8290f91803dd69918757dd61e20cad4f3a023

SHA256
8bb0506d749f2341c63f4ef7d01a90c77736f0860fc0ed3a7484a4739ec469cc

SHA512
bbcfa9489e79760c2814512a01fb8618ccfb2d54a41ee88fc78b63779c51a2203838b597d863a7f456f640c05713f126c338c2efeb30d2861deb801c135af908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8RDJB14J\search[5].htm

Filesize
115KB

MD5
3cbdd8b3fcced5ea7da26ef03f326ea2

SHA1
dd78ca6827135578c892826ff169ec725c6f4c2e

SHA256
fc232fe98d6b0a22f97055a8c1c97b70011f5ca10a57a8a8ad83ebe30a39e990

SHA512
47e1811a3ef316e8ba19bfd6ca78320ecbb79412a22c00a352330f567fe205d99e3c6a6d7ef6649fe472993ef0f3926e361c891307f0de31a3b33cd414172074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ONPDW741\JNAOHVTI.htm

Filesize
153KB

MD5
749e0047de72a3d9a4a1389fc275341f

SHA1
ce03430421c2edffa0948f261a5969730681ec36

SHA256
4ac377d5445c281a53cc274cfd0197fbd10da047d14edc6e84b091d2f213827f

SHA512
6754b15f46e150ecb1360700ae032dc927490b65b971d0ff0f76dba88b6b819d629f9628756f22482cf5f58861b8226defda75050d9db1592989b36021376268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ONPDW741\defaultW4MDINRB.htm

Filesize
310B

MD5
2a8026547dafd0504845f41881ed3ab4

SHA1
bedb776ce5eb9d61e602562a926d0fe182d499db

SHA256
231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce

SHA512
1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ONPDW741\results[1].htm

Filesize
1KB

MD5
7278e4ff28ec60fea50a08ab6a8736ea

SHA1
fa2f4fe5d79a8fe1395457c5dda20977c90a9195

SHA256
ebb0f059505efe92997be0ccba6bc8dc52c513ab40165b7b1f8d186f1eaa6c44

SHA512
dcedfae46385c12977bd6bedd83fe17bd03be79b23c74b3bfa6e93bcbc364657901246d5e85e6e4060bc3caaf61f4ecfd25255150553be086f81bea2d29d1465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SPOS9D3T\OGPGGFVY.htm

Filesize
153KB

MD5
b00fcf9500e67b918603a996a20e9650

SHA1
64f6c729e0727ad6f2afe2f3eabc00f9ceaf0218

SHA256
8a033e92857495b1ce00e6905db42682f455a24c6c4549a5c5612c06b74a2d33

SHA512
c8a293e8c49e6019cf710db75ddf045f351948881892076776cac94e157e9facb781df2b683678a6a323d03c5a553ab1ddfcf8c2dd844ab185c3b632d45c69cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SPOS9D3T\default[4].htm

Filesize
309B

MD5
5e2bddd806d4872e3dd0e8dc73989141

SHA1
548abbe69ee36be9208ad75c146dd297936bcb72

SHA256
f59e3ee934d2413a9b2c700ad586a76b24aab578d413041d3205662bbd9b79bd

SHA512
1d370d51490a3cf32990629da022a07a1a0244e85c64c94ba4279b793b6e41a77691ab9773a80cf29cc90ea5fed22c5453d86e7e4871a8ba2c1b5e60c368e851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SPOS9D3T\search[2].htm

Filesize
164KB

MD5
526bcc32567d0535f470cb8b2c25360d

SHA1
6bffc38cd9bb5eea78b63a2e394d0a0743258cf2

SHA256
9149da8b2ea1da7ce2f0bfd5c702551d5ea5a7a45fafd5cd89752480e42c09e7

SHA512
d21a0928b92ae92ea1b0ee7a02633ca9175abb6fdfa529efb59e9e531994f9161e7403fbf5e22c44271720338f0277bbcf6e65463e305e937022e95779432154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SPOS9D3T\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UmDowTpx.log

Filesize
1KB

MD5
8dde28d9ecc79799024c023f3b3ef201

SHA1
db4efed7533edc2576529c8ca232dfd7bed82cd7

SHA256
e6ae90e0e4c899b559bbf0fa9a604dcd8c3511e417bce029e31c8a7b14f2ab04

SHA512
38b37e02ba555f2c3fb62072aef41d26b87cabd4918c9984d6cf02a884ca0bbc56ac89200a3f980ef91f02bce803ed1aa35c962ae9375f97bb89c9bca6adb326

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24C9.tmp

Filesize
28KB

MD5
5a6748de8aed7be8600699fbfc824c19

SHA1
05b1a027b338fac62ce6b3b1151c719dac8e178c

SHA256
05d1b6103186b588b26dabf87e3df25b7849d6996128098337a0810f9c1ce30c

SHA512
cd56ad8054b19fced90e0891f6ab05192c99ea6d4241c248294d1367d4a206bc1de2865f5f3b4b25c507dec7a5af5d7fb4a9f9581872277ffc989b1513fcaf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
96e07450ab800859341b9a1021ea951c

SHA1
b7ce1589942739fbb024090de9fa15ecf67cc195

SHA256
735e7e58a25aab22558a3fe53cef64089d4e2fac3329bdc63302ccc2510fea5d

SHA512
87cdd0e14bf2cf20e6f0b0a1f8ec0d818147f6a766f3ed3838926fe5a34a906b8a61517e766230f483ceab754738d61b40ba4eaba7af57fe9ccad74e7b2526bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c4112dc133068c397fa549c473ddffcf

SHA1
f0cec030cef445f33f6980db449a314f85f4b0e8

SHA256
cb407cf34c20b534a5b7fb019b1a30fc92d71613fe9ea79131030fda6a3fb1ee

SHA512
2da69430807fcfa698cfd86d3afe62c842e2389123b931737789556f5dcef7cd499384b664248c58b90b0db0802975bf26cc5487d582e9caeb8d7c4b0c2376a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b5f3e128d7e8b9add7676e7632bd1531

SHA1
99638edc5d980005f93c9a0ddce479c21f250171

SHA256
f0c0b44ef7a68d758ead09e8d4138cae10bd007c879fc05e098aa9999abb1377

SHA512
7e9492ced8b88fee4145f6622f935d5ae60100a2a9803c1359136f6c3f5a3ef48159553202039d91592bfcbe88d0102a6dd81f0828b89c9e36aa90dcb29593cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
32B

MD5
be33ed2c7eb301e48a865a46b3b26b9a

SHA1
f8b54876daae0bdabbd0c25c113ab5e155ff0754

SHA256
d053168db049d9ec5e2277237a3e3a369023f868c3baff7460d49d17a01f427c

SHA512
bae22d2e991b31e74adae5475662f328289bd23c45c19b06a8079ea3c6bf437ba3c158d59d2b8e495a00a30ed6a23b1c7b3f32d054db05acd310772ca96eb796

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
ac9de33348ccd7b3972f40e6da403ee4

SHA1
44d2884489f9aa23192d14b8d406d7e47eef3162

SHA256
9d337f372a9b5cc08139e0861a7774fcf3e8e195b3f321d71509bb6dabf465ea

SHA512
b9059ba7195e0eff87c9fff301d2746dfdbc5e6f3668a3aba4c31f13d472f5a73c63715288a0708fd22d6c6c06fc4f351a54c033ea1eadb3b6049880414232c0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/224-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/224-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1092-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1152-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1576-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1576-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1696-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1720-537-0x00007FF6C5A50000-0x00007FF6C5AB7000-memory.dmp

Filesize
412KB

Download
memory/2040-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-569-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2208-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2208-545-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2364-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2408-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2440-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2440-44-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2828-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3248-105-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3532-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3560-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3632-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3700-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3736-107-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3752-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3884-566-0x00007FF6C5A50000-0x00007FF6C5AB7000-memory.dmp

Filesize
412KB

Download
memory/3948-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3980-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4200-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4464-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4536-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4712-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4764-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4776-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4876-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4908-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5184-125-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5216-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5216-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5260-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5588-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5664-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-568-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-544-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5860-499-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5928-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6132-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6264-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6284-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6348-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6404-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6496-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6496-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6668-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6772-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6864-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6864-195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6900-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7072-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7092-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7104-205-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7104-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7160-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7180-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7240-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7288-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7396-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7480-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7488-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7496-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7548-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7808-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7928-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7928-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7952-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7976-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8064-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8124-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8140-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8140-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8348-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8360-249-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8368-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8376-250-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8468-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8728-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8756-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8776-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8792-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8808-253-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8824-242-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/9156-248-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/9168-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/14140-505-0x00007FF6C5A50000-0x00007FF6C5AB7000-memory.dmp

Filesize
412KB

Download
memory/14316-541-0x00007FF6C5A50000-0x00007FF6C5AB7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads