mydoom | 0d9c99a6ec30366d863d577b3504c6d3c73bf0e02455dc8c01e263cb1e9b3f18

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
Size

28KB
MD5

af5327aee4df576c2c777994a266ffd7
SHA1

19574629fadc3f9b3fbc18278dcf51e3cd0de36d
SHA256

0d9c99a6ec30366d863d577b3504c6d3c73bf0e02455dc8c01e263cb1e9b3f18
SHA512

196513a60e09a4e6fcd44b45dcbb9650e8006c84d0a5b2fd127bdb07730db50a10c8ef9e79418997d700fb702f7ebdcf0adeb73868ac4ee5f9083b64f2856dff
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNxY:Dv8IRRdsxq1DjJcqfZ

Score

10^/10

mydoom microsoft discovery persistence phishing product:outlook upx worm

Malware Config

Signatures

Detected microsoft outlook phishing page 1 IoCs

phishing microsoft product:outlook

flow	pid	Process
59	2612	java.exe

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral1/memory/4732-38-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4492-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2612-56-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2612-557-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2612-625-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
5508	services.exe
2612	java.exe
5048	services.exe
5104	services.exe
2256	services.exe
4640	services.exe
4732	java.exe
5516	services.exe
4836	services.exe
4828	services.exe
5908	services.exe
4064	services.exe
5148	services.exe
932	services.exe
5252	services.exe
4452	services.exe
5404	services.exe
4576	services.exe
2824	services.exe
3324	services.exe
6096	services.exe
4672	services.exe
5740	services.exe
448	services.exe
4476	services.exe
1944	services.exe
1224	services.exe
4408	services.exe
2696	services.exe
2456	services.exe
5628	services.exe
5640	services.exe
4612	services.exe
4732	services.exe
4808	services.exe
1504	services.exe
112	services.exe
5764	services.exe
4956	services.exe
6036	services.exe
2244	services.exe
5012	services.exe
3008	services.exe
6248	services.exe
6260	services.exe
6364	services.exe
6380	services.exe
6388	services.exe
6548	services.exe
6684	services.exe
6824	services.exe
6816	services.exe
6920	services.exe
6940	services.exe
7104	services.exe
7112	services.exe
6416	services.exe
6468	services.exe
6972	services.exe
7256	services.exe
7288	services.exe
7384	services.exe
7488	services.exe
7616	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4492-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000800000002421f-4.dat	upx
behavioral1/memory/5508-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0009000000024222-15.dat	upx
behavioral1/memory/2612-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/5048-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2256-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4732-38-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/4640-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4828-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4492-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/5508-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5148-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5048-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/5104-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5252-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2256-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4640-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5404-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4452-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4576-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5516-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4836-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5740-105-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/448-109-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/932-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4064-100-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4672-99-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6096-98-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5908-97-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4476-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5252-114-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5404-125-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1224-124-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1944-123-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4452-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4408-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4576-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-133-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3324-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5628-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6096-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5740-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4732-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4476-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4808-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/448-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1224-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/112-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2244-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5640-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4612-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4808-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1504-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6388-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6380-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5764-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6364-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6548-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4956-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	java.exe
File created	C:\Windows\services.exe	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
File created	C:\Windows\java.exe	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15216	dwm.exe
Token: SeChangeNotifyPrivilege	15216	dwm.exe
Token: 33	15216	dwm.exe
Token: SeIncBasePriorityPrivilege	15216	dwm.exe
Token: SeShutdownPrivilege	15216	dwm.exe
Token: SeCreatePagefilePrivilege	15216	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 5508	4492	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe	84
PID 4492 wrote to memory of 5508	4492	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe	84
PID 4492 wrote to memory of 5508	4492	JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe	84
PID 3556 wrote to memory of 2612	3556	cmd.exe	92
PID 3556 wrote to memory of 2612	3556	cmd.exe	92
PID 3556 wrote to memory of 2612	3556	cmd.exe	92
PID 2612 wrote to memory of 5048	2612	java.exe	93
PID 2612 wrote to memory of 5048	2612	java.exe	93
PID 2612 wrote to memory of 5048	2612	java.exe	93
PID 2380 wrote to memory of 5104	2380	cmd.exe	98
PID 2380 wrote to memory of 5104	2380	cmd.exe	98
PID 2380 wrote to memory of 5104	2380	cmd.exe	98
PID 2748 wrote to memory of 2256	2748	cmd.exe	100
PID 2748 wrote to memory of 2256	2748	cmd.exe	100
PID 2748 wrote to memory of 2256	2748	cmd.exe	100
PID 4296 wrote to memory of 4640	4296	cmd.exe	104
PID 4296 wrote to memory of 4640	4296	cmd.exe	104
PID 4296 wrote to memory of 4640	4296	cmd.exe	104
PID 5236 wrote to memory of 4732	5236	cmd.exe	191
PID 5236 wrote to memory of 4732	5236	cmd.exe	191
PID 5236 wrote to memory of 4732	5236	cmd.exe	191
PID 4796 wrote to memory of 5516	4796	cmd.exe	110
PID 4796 wrote to memory of 5516	4796	cmd.exe	110
PID 4796 wrote to memory of 5516	4796	cmd.exe	110
PID 4644 wrote to memory of 4836	4644	cmd.exe	111
PID 4644 wrote to memory of 4836	4644	cmd.exe	111
PID 4644 wrote to memory of 4836	4644	cmd.exe	111
PID 4804 wrote to memory of 4828	4804	cmd.exe	116
PID 4804 wrote to memory of 4828	4804	cmd.exe	116
PID 4804 wrote to memory of 4828	4804	cmd.exe	116
PID 4632 wrote to memory of 5908	4632	cmd.exe	119
PID 4632 wrote to memory of 5908	4632	cmd.exe	119
PID 4632 wrote to memory of 5908	4632	cmd.exe	119
PID 3672 wrote to memory of 4064	3672	cmd.exe	122
PID 3672 wrote to memory of 4064	3672	cmd.exe	122
PID 3672 wrote to memory of 4064	3672	cmd.exe	122
PID 5708 wrote to memory of 5148	5708	cmd.exe	123
PID 5708 wrote to memory of 5148	5708	cmd.exe	123
PID 5708 wrote to memory of 5148	5708	cmd.exe	123
PID 5052 wrote to memory of 932	5052	cmd.exe	128
PID 5052 wrote to memory of 932	5052	cmd.exe	128
PID 5052 wrote to memory of 932	5052	cmd.exe	128
PID 3636 wrote to memory of 5252	3636	cmd.exe	129
PID 3636 wrote to memory of 5252	3636	cmd.exe	129
PID 3636 wrote to memory of 5252	3636	cmd.exe	129
PID 4540 wrote to memory of 4452	4540	cmd.exe	134
PID 4540 wrote to memory of 4452	4540	cmd.exe	134
PID 4540 wrote to memory of 4452	4540	cmd.exe	134
PID 3152 wrote to memory of 5404	3152	cmd.exe	136
PID 3152 wrote to memory of 5404	3152	cmd.exe	136
PID 3152 wrote to memory of 5404	3152	cmd.exe	136
PID 4316 wrote to memory of 4576	4316	cmd.exe	142
PID 4316 wrote to memory of 4576	4316	cmd.exe	142
PID 4316 wrote to memory of 4576	4316	cmd.exe	142
PID 5864 wrote to memory of 2824	5864	cmd.exe	143
PID 5864 wrote to memory of 2824	5864	cmd.exe	143
PID 5864 wrote to memory of 2824	5864	cmd.exe	143
PID 5980 wrote to memory of 3324	5980	cmd.exe	148
PID 5980 wrote to memory of 3324	5980	cmd.exe	148
PID 5980 wrote to memory of 3324	5980	cmd.exe	148
PID 1492 wrote to memory of 4672	1492	cmd.exe	152
PID 1492 wrote to memory of 4672	1492	cmd.exe	152
PID 1492 wrote to memory of 4672	1492	cmd.exe	152
PID 2484 wrote to memory of 6096	2484	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af5327aee4df576c2c777994a266ffd7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Detected microsoft outlook phishing page
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5236
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2868
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3292
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5556
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6328
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6656
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6872
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6884
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6988
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6204
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7240
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7440
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7556
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7760
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7948
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7228
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:408
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3156
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8272
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8296
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:9008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8580
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8808
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9072
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9212
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9268
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9332
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10028
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10048
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9440
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10464
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10772
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10932
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:11800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10952
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11148
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11556
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11904
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:13156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12168
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11116
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11380
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12392
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13148
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13252
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13272
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:13776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12360
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13392
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13860
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14216
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3080
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15228
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14204
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14788
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14824
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15196
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14504
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13316
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3432
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:16288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16220
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1180
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:16584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:968
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16500
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16736
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19676
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20148
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20292
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19580
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19868
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:20220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7064
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7280
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:20092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8468 -ip 8468
1⤵
PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13424
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12720
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12976
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13588

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DFXQC0GF\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UL1LUHE1\search[1].htm

Filesize
159KB

MD5
aa6eb3f92b729225a4f9be2abcbc4e85

SHA1
35b4b52db28090503984de26bef9e06cf0f1caf6

SHA256
2eecba45f8d55001a89799afe8616ecba3a0c8786c40e9f3745865f934b2a446

SHA512
be6fa56fc1c259b212aa396c5c84fc23896482c52ef58f5361b23bf119c2c53a910bcf3b2e63e834454063bb39ae2c8d41432467bda0d74003735ce34cfb87e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XEI6TIRB\VSNJTJCS.htm

Filesize
153KB

MD5
4b2d8ac6d3fb5f2b0811c6e815463d57

SHA1
0e57a1df9931a323c7799182921904871058f6c4

SHA256
c98c39add89d8d1135775052b8832230a3cea1e6f5221f20f673a47ada40983b

SHA512
6433bc71877fa1312c4cfe2cc388721382f49aae18aa0a04937e7320e2d0718da89ba1081893849e42fb47c775ddaef8eaaecaff2baea2b6421a835f59ffcb2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XEI6TIRB\search[3].htm

Filesize
122KB

MD5
56a181f381c2468cc924dbe2d38f2079

SHA1
dff1cc80af9358314f86fb27b5a3fe3940771335

SHA256
51a22b8e92b8e95ac86919e80dda76085c8ada427e6782b4a3b0eeedf8d4dc97

SHA512
17c9541cb2b0d180c4a36cfd3e8df866d909d524bf755c4d5580ad420c736d4d357f15d06f8fd9eaec24fda7cc9f91464c320f46efdc189e59b70fb7222389e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbwvl.log

Filesize
1KB

MD5
13583775fa42e19795b51ebd9d227a1b

SHA1
d5cf9094abb21448619e5db190f2cfdaf5e30b90

SHA256
a7fccc819256a7923c8e3cd66f0fd8a08f532ee8b900066cdf783826f0c04ed5

SHA512
e2ad78d2be78716931b7b9d8902cdf1ccd74f0727a4536968c6f25634a3a3d86967e10eefeb38edfe4884b72f5d0f164dbe0b93089b9780e84f84b6a46911bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1122.tmp

Filesize
28KB

MD5
9805dd240f04b52988914237d818055d

SHA1
488053aebd07f25d5daf83577ff606b68855deb7

SHA256
90881eca3a174f974d2b628a1aeb243a29534e5ce3a6ac2f2121c0dd5992ae68

SHA512
8fe3a2403da2805337a6d72341df4d38896eca4d6e57e91fd68f831fdd1f96f22f3d47da5016046f8fbb0c064f3c1d7a5ca48e0603d01e0e4e02565363988aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
81a93b48e01a79fc5eac7ffa59cb989f

SHA1
b3d49117e5c9b8cf3e2156ccd2eea4dd08e7d7cb

SHA256
1b0815cb47737661ca5f3ce2db035066427b6ebce0e618a52eca3acbf22dd938

SHA512
78bb372cd136dc43b5dca373be31c25a19a88068d916af7b2d9fe31d693f5015d0c4883fd5a5e72fb2e31261ffa6c1fc927584a08e8822769594d9c3992228ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
48221375420f2bf7b43cb7ee08831ea5

SHA1
ed20d94bf5e45f1887147e06561e53198a38f12f

SHA256
c13acc06ea327ed989dcfc5dbe2dba4aa9d5a08acc6d64ea0a954301fac8bc65

SHA512
e3a825aad658da510af5156acaa35ca5624b86ccbe47e0a6c6906fd4de005e90ccf86714c234a1b5b7903030fe088c97f69f2e777eeae3dc66b53a4cbed138df

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
af5327aee4df576c2c777994a266ffd7

SHA1
19574629fadc3f9b3fbc18278dcf51e3cd0de36d

SHA256
0d9c99a6ec30366d863d577b3504c6d3c73bf0e02455dc8c01e263cb1e9b3f18

SHA512
196513a60e09a4e6fcd44b45dcbb9650e8006c84d0a5b2fd127bdb07730db50a10c8ef9e79418997d700fb702f7ebdcf0adeb73868ac4ee5f9083b64f2856dff

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/112-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/448-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/448-109-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-124-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1452-243-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1504-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1504-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1944-123-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2244-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2256-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2256-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2456-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-625-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2612-626-0x0000000075C60000-0x0000000075D1F000-memory.dmp

Filesize
764KB

Download
memory/2612-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2612-557-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2612-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3324-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4064-100-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4408-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4452-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4452-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4476-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4476-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4492-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4492-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4576-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4576-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4612-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4640-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4640-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4672-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4732-38-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4732-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4808-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4828-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4956-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5012-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5048-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5048-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5148-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5252-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5252-114-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5404-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5404-125-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-487-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-556-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-624-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5508-272-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5516-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5524-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5628-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5640-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5740-105-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5740-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5764-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5908-97-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6036-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6096-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6096-98-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6248-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6260-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6364-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6380-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6388-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6416-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6468-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6548-205-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6548-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6684-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6816-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6824-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6920-193-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6940-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6972-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7104-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7112-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7256-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7288-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7384-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7488-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7616-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7624-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7624-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7640-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7816-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7816-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7872-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8068-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8076-232-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8100-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8228-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/13716-548-0x00007FF6067F0000-0x00007FF606857000-memory.dmp

Filesize
412KB

Download
memory/17508-614-0x00007FF6067F0000-0x00007FF606857000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads