mydoom | 5b2eb9e6f526d28e15c50fa10ecbf95143f81689c3a7ac4999b48b79c33f5d0e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe
Size

28KB
MD5

b614061c7d1ef48a1465d73424129b18
SHA1

6e82fc9560d67a45416a2a604977559350fa4788
SHA256

5b2eb9e6f526d28e15c50fa10ecbf95143f81689c3a7ac4999b48b79c33f5d0e
SHA512

0dc4795247862a819975d80ac4f164dd99c1bec5727dd5d67960702dd7a34ced0ca17e4e9184f39739f981a14fb0982a727bbf78049570d49ddb74b22bc44f27
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNZNUSvU:Dv8IRRdsxq1DjJcqfrd

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/1460-16-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/4904-37-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5136-47-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1460-554-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5136-599-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1460-605-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
3452	services.exe
1460	java.exe
676	services.exe
4800	services.exe
940	services.exe
4852	services.exe
4904	java.exe
2820	services.exe
1012	services.exe
3568	services.exe
5116	services.exe
5228	services.exe
640	services.exe
544	services.exe
2352	services.exe
2560	services.exe
5452	services.exe
2432	services.exe
5912	services.exe
3440	services.exe
5164	services.exe
1512	services.exe
5604	services.exe
3736	services.exe
3232	services.exe
5956	services.exe
5880	services.exe
2780	services.exe
3788	services.exe
5584	services.exe
2828	services.exe
4648	services.exe
4640	services.exe
4796	services.exe
1820	services.exe
1892	services.exe
1080	services.exe
5372	services.exe
5708	services.exe
1844	services.exe
2024	services.exe
6152	services.exe
6260	services.exe
6268	services.exe
6276	services.exe
6384	services.exe
6392	services.exe
6588	services.exe
6716	services.exe
6800	services.exe
6860	services.exe
6876	services.exe
7036	services.exe
7044	services.exe
7068	services.exe
6336	services.exe
6624	services.exe
7204	services.exe
7336	services.exe
7376	services.exe
7392	services.exe
7432	services.exe
7536	services.exe
7680	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5136-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3452-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000800000002433d-4.dat	upx
behavioral1/memory/4800-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1460-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x0008000000024341-15.dat	upx
behavioral1/memory/4852-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4904-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1012-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3568-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5136-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3452-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5228-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/640-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4800-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/676-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/544-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/940-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2560-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4852-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2820-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2432-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3568-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5116-91-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5604-102-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/640-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2352-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5956-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2560-114-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5452-121-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2432-124-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2780-123-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5880-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3440-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5584-133-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3788-132-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5912-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4648-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1512-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5604-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3736-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1820-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3232-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1080-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2780-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5372-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5708-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5584-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2024-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2828-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6260-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4640-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4796-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6276-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6268-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1080-173-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5372-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6716-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1844-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6800-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6152-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6876-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe
File created	C:\Windows\services.exe	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15388	dwm.exe
Token: SeChangeNotifyPrivilege	15388	dwm.exe
Token: 33	15388	dwm.exe
Token: SeIncBasePriorityPrivilege	15388	dwm.exe
Token: SeCreateGlobalPrivilege	15316	dwm.exe
Token: SeChangeNotifyPrivilege	15316	dwm.exe
Token: 33	15316	dwm.exe
Token: SeIncBasePriorityPrivilege	15316	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 3452	5136	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe	85
PID 5136 wrote to memory of 3452	5136	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe	85
PID 5136 wrote to memory of 3452	5136	JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe	85
PID 2356 wrote to memory of 1460	2356	cmd.exe	92
PID 2356 wrote to memory of 1460	2356	cmd.exe	92
PID 2356 wrote to memory of 1460	2356	cmd.exe	92
PID 5308 wrote to memory of 676	5308	cmd.exe	93
PID 5308 wrote to memory of 676	5308	cmd.exe	93
PID 5308 wrote to memory of 676	5308	cmd.exe	93
PID 1460 wrote to memory of 4800	1460	java.exe	94
PID 1460 wrote to memory of 4800	1460	java.exe	94
PID 1460 wrote to memory of 4800	1460	java.exe	94
PID 5544 wrote to memory of 940	5544	cmd.exe	98
PID 5544 wrote to memory of 940	5544	cmd.exe	98
PID 5544 wrote to memory of 940	5544	cmd.exe	98
PID 2796 wrote to memory of 4852	2796	cmd.exe	104
PID 2796 wrote to memory of 4852	2796	cmd.exe	104
PID 2796 wrote to memory of 4852	2796	cmd.exe	104
PID 2632 wrote to memory of 4904	2632	cmd.exe	107
PID 2632 wrote to memory of 4904	2632	cmd.exe	107
PID 2632 wrote to memory of 4904	2632	cmd.exe	107
PID 244 wrote to memory of 2820	244	cmd.exe	110
PID 244 wrote to memory of 2820	244	cmd.exe	110
PID 244 wrote to memory of 2820	244	cmd.exe	110
PID 4696 wrote to memory of 1012	4696	cmd.exe	111
PID 4696 wrote to memory of 1012	4696	cmd.exe	111
PID 4696 wrote to memory of 1012	4696	cmd.exe	111
PID 4764 wrote to memory of 3568	4764	cmd.exe	116
PID 4764 wrote to memory of 3568	4764	cmd.exe	116
PID 4764 wrote to memory of 3568	4764	cmd.exe	116
PID 5924 wrote to memory of 5116	5924	cmd.exe	119
PID 5924 wrote to memory of 5116	5924	cmd.exe	119
PID 5924 wrote to memory of 5116	5924	cmd.exe	119
PID 5036 wrote to memory of 5228	5036	cmd.exe	122
PID 5036 wrote to memory of 5228	5036	cmd.exe	122
PID 5036 wrote to memory of 5228	5036	cmd.exe	122
PID 5056 wrote to memory of 640	5056	cmd.exe	123
PID 5056 wrote to memory of 640	5056	cmd.exe	123
PID 5056 wrote to memory of 640	5056	cmd.exe	123
PID 5024 wrote to memory of 544	5024	cmd.exe	128
PID 5024 wrote to memory of 544	5024	cmd.exe	128
PID 5024 wrote to memory of 544	5024	cmd.exe	128
PID 2468 wrote to memory of 2352	2468	cmd.exe	131
PID 2468 wrote to memory of 2352	2468	cmd.exe	131
PID 2468 wrote to memory of 2352	2468	cmd.exe	131
PID 632 wrote to memory of 2560	632	cmd.exe	134
PID 632 wrote to memory of 2560	632	cmd.exe	134
PID 632 wrote to memory of 2560	632	cmd.exe	134
PID 1748 wrote to memory of 5452	1748	cmd.exe	137
PID 1748 wrote to memory of 5452	1748	cmd.exe	137
PID 1748 wrote to memory of 5452	1748	cmd.exe	137
PID 3572 wrote to memory of 2432	3572	cmd.exe	140
PID 3572 wrote to memory of 2432	3572	cmd.exe	140
PID 3572 wrote to memory of 2432	3572	cmd.exe	140
PID 2748 wrote to memory of 5912	2748	cmd.exe	143
PID 2748 wrote to memory of 5912	2748	cmd.exe	143
PID 2748 wrote to memory of 5912	2748	cmd.exe	143
PID 2884 wrote to memory of 3440	2884	cmd.exe	148
PID 2884 wrote to memory of 3440	2884	cmd.exe	148
PID 2884 wrote to memory of 3440	2884	cmd.exe	148
PID 5140 wrote to memory of 5164	5140	cmd.exe	149
PID 5140 wrote to memory of 5164	5140	cmd.exe	149
PID 5140 wrote to memory of 5164	5140	cmd.exe	149
PID 316 wrote to memory of 1512	316	cmd.exe	154

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b614061c7d1ef48a1465d73424129b18.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5924
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5140
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3480
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1984
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4712
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:648
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5804
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3952
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6200
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6664
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6672
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7152
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6908
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6932
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7792
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7812
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8168
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8484
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8544
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8960
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9068
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9100
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9280
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9452
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9740
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10156
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8628
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10716
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:11552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10908
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11168
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10412
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10468
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5688
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11856
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11924
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11940
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12252
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2628
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11680
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12552
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12660
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12752
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12908
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13104
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:14240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13252
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12708
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:14384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14476
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14552
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14748
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14612
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13056
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15308
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14036
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5496
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7936

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:16864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6772
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16420
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16932
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17140
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17296
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17428
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18816
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20200

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15316

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:19924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13396
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20384
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:19772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17940
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20224
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1464
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3640
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7828
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8256
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8700
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2804
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9552
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6348
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12260
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:19572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13340
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14872
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10600
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11620
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14160
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8780
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15524

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7U2DS24N\OIAGH9TG.htm

Filesize
153KB

MD5
cf4450ad1c3bff06db2146fd7bb87b3c

SHA1
118e7f61216168dc2eb84d06a5795075c64c3847

SHA256
a455c21fd954e166d4c37690dece2218ae61d1415fe499c03f0403215b3a8ab1

SHA512
6ba48ca77be9391853dc97351626394a893022dcdd853886fdf2978abd718835292b762877be81d7bbffb7fb4a25beab351b4577f31210cc1fe34624919ddf95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH2PF5WH\search[2].htm

Filesize
120KB

MD5
07879de3c8558b5a1be66fdcec93783a

SHA1
933c81c9fa77bd1d95bcdd6f1dfacd8b6e17ed04

SHA256
5d02f3923d1e8adfd6049da2f7a18ce82a2c7133e593208ad1cf80684aa6ff53

SHA512
ee664bff085ef29e8ff898c7ab0d2149600e30b746eb885b2459c776c63e0acb79337ac424e5c5ecf26aa1c7f131dcd456a8d8705b9445172d1da7b8d0990430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BLDESBJ5\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\omdf0ck.log

Filesize
1KB

MD5
af1898757dbe4862aaece8ba79c8d010

SHA1
a8142de9ecc3612301fe02fd6771e5c78e5308ae

SHA256
92ef91e6f7e95e4e659b46edecdadff88f76277212023a849eb0d535736917a5

SHA512
6f585db31ebb4fea1520d21f92d7162a158c124ee2b1a17cfad744fcecc48f95cdac4b40ff50f25f976bd02f0aea876d82f9c8c57d97c60b8c08bd86b6dd1573

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF879.tmp

Filesize
28KB

MD5
d2de1783e4b5430dc74f846a8fd4966d

SHA1
1bb2fcdfcfee41e7e4f35ff55cc6eb8a0ddfaece

SHA256
18378528d5d6f4dc2d81c6124b5897dfd3adb0491721cd56f4b4f00e12ad5b16

SHA512
6d1596da6f3948edf92656476289142e353feaa43bd67f99da8b05de04a880b6f2eb2760f5e40417b56c5359482085201a6961fb0c3d04fc9bb5f08ca63dbaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5f016e45d7bf68ad2d8b99567e42505c

SHA1
9db972a6525774853b66efacbcee83d4a05dfbac

SHA256
ec962f7c7d67d3015b849e2f1af25ed010b332ecd53d4c8eb28c057931dd0a67

SHA512
4cf036fd7821b76c7c81bd68b7a7337c480ba22c8f0d02403476c3bd690e589d49f08140f01b9a342194af1e77abbdecf64ab1c272e20bad34405c7258eb9c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4fcd9fe7affee0c28c2c22b308a2d143

SHA1
f778c57f6eb4b1bc3807285bc866e7922f75df6b

SHA256
499da992ec87056a18eb576f3277ef6eebc4b62b7d6a34f627dcf2ea019f80d4

SHA512
281f7affb307834ea372aa31cc4f912761acd8414b2c4868ca3f63c1b277c7c027e19cb8c5bc180d4b6ab10886aea6c9c09ee075e406571739c1292a9067f440

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
b614061c7d1ef48a1465d73424129b18

SHA1
6e82fc9560d67a45416a2a604977559350fa4788

SHA256
5b2eb9e6f526d28e15c50fa10ecbf95143f81689c3a7ac4999b48b79c33f5d0e

SHA512
0dc4795247862a819975d80ac4f164dd99c1bec5727dd5d67960702dd7a34ced0ca17e4e9184f39739f981a14fb0982a727bbf78049570d49ddb74b22bc44f27

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/544-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/640-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/640-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/676-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1080-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1080-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1460-605-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1460-554-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1460-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1512-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1820-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2024-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2024-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2352-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2432-124-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2432-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2560-114-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2560-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2780-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2780-123-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2820-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2828-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3232-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3440-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-601-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-493-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-288-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-553-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3568-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3568-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3736-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3788-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4640-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4648-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4796-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4852-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4852-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4904-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5116-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5136-599-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5136-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5136-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5228-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5372-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5372-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5452-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5584-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5584-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5604-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5604-102-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5708-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5880-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5912-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5956-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6152-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6260-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6268-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6276-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6276-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6336-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6384-193-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6588-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6624-195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6624-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6716-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6800-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6860-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6876-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6876-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7036-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7044-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7068-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7204-199-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7336-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7336-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7376-201-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7376-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7392-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7432-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7536-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7680-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7700-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7744-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7784-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8032-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8076-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8100-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8112-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8128-234-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8248-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8400-242-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8444-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8452-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads