mydoom | 0e66dc39801a53ca8a51e3e1f9bfb896f7cefb71b3438b1d590480d0600c3fde

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe
Size

28KB
MD5

b42ccd13b77d2b29471adfa27a6ec39c
SHA1

c8384e3925241de0440ca6807829e9cb7c0d0d3b
SHA256

0e66dc39801a53ca8a51e3e1f9bfb896f7cefb71b3438b1d590480d0600c3fde
SHA512

14ac9ac914c17c709d4a32faa20a23b0a0a24bfbd1fc7901b11620dabfc3d14efbec6f8c333d4843a5942189bd3fe32619a925250177e2c5bd020a4174221472
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN3s6Q9:Dv8IRRdsxq1DjJcqfH

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/4980-33-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5684-44-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5968-51-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5968-516-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5968-542-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/5968-653-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 64 IoCs

pid	Process
5304	services.exe
5968	java.exe
4076	services.exe
1752	services.exe
4812	services.exe
4980	java.exe
4904	services.exe
6084	services.exe
4916	services.exe
4992	services.exe
5028	services.exe
3188	services.exe
3164	services.exe
5516	services.exe
1572	services.exe
4828	services.exe
2884	services.exe
6080	services.exe
1840	services.exe
1056	services.exe
892	services.exe
2840	services.exe
1980	services.exe
2256	services.exe
3904	services.exe
2720	services.exe
5784	services.exe
4380	services.exe
5548	services.exe
5552	services.exe
3880	services.exe
4512	services.exe
4792	services.exe
2660	services.exe
3908	services.exe
1300	services.exe
5604	services.exe
3736	services.exe
1260	services.exe
4564	services.exe
4952	services.exe
6180	services.exe
6324	services.exe
6332	services.exe
6404	services.exe
6436	services.exe
6580	services.exe
6608	services.exe
6636	services.exe
6812	services.exe
6896	services.exe
6912	services.exe
6920	services.exe
5476	services.exe
6452	services.exe
7028	services.exe
6976	services.exe
7252	services.exe
7320	services.exe
7328	services.exe
7456	services.exe
7496	services.exe
7708	services.exe
7716	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5684-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000800000002433d-4.dat	upx
behavioral1/memory/5304-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000024341-14.dat	upx
behavioral1/memory/4980-33-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/5684-44-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/5304-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5028-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5968-51-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3164-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4076-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1752-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5516-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4812-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4904-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-76-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6084-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1840-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4916-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4992-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1056-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/892-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5028-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2840-99-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3188-98-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2256-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5516-107-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3904-111-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1572-110-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4828-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6080-123-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5548-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1840-129-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5552-135-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1056-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/892-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2840-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1980-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3904-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3908-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2720-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4380-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3736-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5604-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/5784-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4952-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3880-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4792-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4512-162-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6180-164-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2660-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6332-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3908-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6436-173-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1300-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3736-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6580-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1260-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4564-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6920-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6912-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6324-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/6452-190-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe
File created	C:\Windows\java.exe	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe
File created	C:\Windows\services.exe	java.exe
File opened for modification	C:\Windows\java.exe	java.exe
File created	C:\Windows\java.exe	java.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5352	5968	WerFault.exe	93
4276	5684	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15404	dwm.exe
Token: SeChangeNotifyPrivilege	15404	dwm.exe
Token: 33	15404	dwm.exe
Token: SeIncBasePriorityPrivilege	15404	dwm.exe
Token: SeShutdownPrivilege	15404	dwm.exe
Token: SeCreatePagefilePrivilege	15404	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5684 wrote to memory of 5304	5684	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe	86
PID 5684 wrote to memory of 5304	5684	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe	86
PID 5684 wrote to memory of 5304	5684	JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe	86
PID 2516 wrote to memory of 5968	2516	cmd.exe	93
PID 2516 wrote to memory of 5968	2516	cmd.exe	93
PID 2516 wrote to memory of 5968	2516	cmd.exe	93
PID 5968 wrote to memory of 4076	5968	java.exe	94
PID 5968 wrote to memory of 4076	5968	java.exe	94
PID 5968 wrote to memory of 4076	5968	java.exe	94
PID 3528 wrote to memory of 1752	3528	cmd.exe	97
PID 3528 wrote to memory of 1752	3528	cmd.exe	97
PID 3528 wrote to memory of 1752	3528	cmd.exe	97
PID 1636 wrote to memory of 4812	1636	cmd.exe	102
PID 1636 wrote to memory of 4812	1636	cmd.exe	102
PID 1636 wrote to memory of 4812	1636	cmd.exe	102
PID 4648 wrote to memory of 4980	4648	cmd.exe	105
PID 4648 wrote to memory of 4980	4648	cmd.exe	105
PID 4648 wrote to memory of 4980	4648	cmd.exe	105
PID 1308 wrote to memory of 4904	1308	cmd.exe	106
PID 1308 wrote to memory of 4904	1308	cmd.exe	106
PID 1308 wrote to memory of 4904	1308	cmd.exe	106
PID 4724 wrote to memory of 6084	4724	cmd.exe	107
PID 4724 wrote to memory of 6084	4724	cmd.exe	107
PID 4724 wrote to memory of 6084	4724	cmd.exe	107
PID 4852 wrote to memory of 4916	4852	cmd.exe	114
PID 4852 wrote to memory of 4916	4852	cmd.exe	114
PID 4852 wrote to memory of 4916	4852	cmd.exe	114
PID 1480 wrote to memory of 4992	1480	cmd.exe	117
PID 1480 wrote to memory of 4992	1480	cmd.exe	117
PID 1480 wrote to memory of 4992	1480	cmd.exe	117
PID 3416 wrote to memory of 5028	3416	cmd.exe	118
PID 3416 wrote to memory of 5028	3416	cmd.exe	118
PID 3416 wrote to memory of 5028	3416	cmd.exe	118
PID 4040 wrote to memory of 3188	4040	cmd.exe	119
PID 4040 wrote to memory of 3188	4040	cmd.exe	119
PID 4040 wrote to memory of 3188	4040	cmd.exe	119
PID 3520 wrote to memory of 3164	3520	cmd.exe	126
PID 3520 wrote to memory of 3164	3520	cmd.exe	126
PID 3520 wrote to memory of 3164	3520	cmd.exe	126
PID 5020 wrote to memory of 5516	5020	cmd.exe	129
PID 5020 wrote to memory of 5516	5020	cmd.exe	129
PID 5020 wrote to memory of 5516	5020	cmd.exe	129
PID 748 wrote to memory of 1572	748	cmd.exe	130
PID 748 wrote to memory of 1572	748	cmd.exe	130
PID 748 wrote to memory of 1572	748	cmd.exe	130
PID 972 wrote to memory of 4828	972	cmd.exe	135
PID 972 wrote to memory of 4828	972	cmd.exe	135
PID 972 wrote to memory of 4828	972	cmd.exe	135
PID 2020 wrote to memory of 2884	2020	cmd.exe	136
PID 2020 wrote to memory of 2884	2020	cmd.exe	136
PID 2020 wrote to memory of 2884	2020	cmd.exe	136
PID 2748 wrote to memory of 6080	2748	cmd.exe	141
PID 2748 wrote to memory of 6080	2748	cmd.exe	141
PID 2748 wrote to memory of 6080	2748	cmd.exe	141
PID 2744 wrote to memory of 1840	2744	cmd.exe	143
PID 2744 wrote to memory of 1840	2744	cmd.exe	143
PID 2744 wrote to memory of 1840	2744	cmd.exe	143
PID 5800 wrote to memory of 1056	5800	cmd.exe	149
PID 5800 wrote to memory of 1056	5800	cmd.exe	149
PID 5800 wrote to memory of 1056	5800	cmd.exe	149
PID 2472 wrote to memory of 892	2472	cmd.exe	152
PID 2472 wrote to memory of 892	2472	cmd.exe	152
PID 2472 wrote to memory of 892	2472	cmd.exe	152
PID 3172 wrote to memory of 1980	3172	cmd.exe	155

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b42ccd13b77d2b29471adfa27a6ec39c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5684
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  PID:5304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 4732
  2⤵
  - Program crash
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5968
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 5924
    3⤵
    - Program crash
    PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\java.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\java.exe
  C:\Windows\java.exe
  2⤵
  - Executes dropped EXE
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5800
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5988
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1352
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5640
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4660
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5796
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4432
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6136
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1820
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3604
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5488
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6240
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6472
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6528
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6688
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6748
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6848
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6884
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7000
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7060
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:7708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:6740
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Executes dropped EXE
  PID:7456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6784
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7208
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7304
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7376
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7404
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:7192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7524
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:6232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7624
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7760
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:7388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7920
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:8504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8164
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:7368
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:8604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8008
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8300
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8320
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8344
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8556
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:8812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8744
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:8756
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - Adds Run key to start application
  PID:9460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9028
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8540
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:9964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9288
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9316
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9440
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:9532
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:10280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9644
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9668
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9844
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9904
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10096
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10112
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10188
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9516
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9652
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9388
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10292
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:10376
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10460
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10548
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10592
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:10312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10864
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10932
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11052
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11168
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11248
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10564
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:11852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10728
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3764
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1616
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11276
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:11836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:11416
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  PID:12380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11536
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11588
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11704
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11776
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11912
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11980
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11992
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12092
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:12968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12184
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11752
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11936
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:12456
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12580
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12596
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12692
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12768
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12876
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12892
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13020
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13100
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13176
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:13940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12832
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3964
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12996
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13324
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13392
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:13440
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13584
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13792
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:15028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13896
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14156
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14228
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13576
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13172
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:15300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14676
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14776
- C:\Users\Admin\AppData\Local\Temp\services.exe
  C:\Users\Admin\AppData\Local\Temp\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14928
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:14732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15016
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15104
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15332
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\services.exe
1⤵
PID:14056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1444
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15356
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3232
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15568
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16024
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:16752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16368
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:17148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16088
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16560
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16572
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16872
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16880
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:17680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16888
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17200
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17224
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17236
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17328
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9456
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17144
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:18248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17476
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:17720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:17644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18332
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:18764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18372
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:18772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18840
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12032
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:12472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20012
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:20064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14484
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:13964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:13524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20436
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6120
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4948
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:20252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1800
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:3724
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:19776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4804
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6696
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6508
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7632
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8084
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7944
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8512
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4492
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:8884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9004
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:9136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9132
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:9336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9448
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9804
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:9880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10076
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:10092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10608
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:10568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7756
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8364
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  PID:12236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14972
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:18852
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:21068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:21176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:21280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:21384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:19524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:20524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:21172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:8184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16524
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:14476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:20836
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:9068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:14116
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:10004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5684 -ip 5684
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5968 -ip 5968
1⤵
PID:16240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15924
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:15672
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:17040
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:16188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:1192
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\services.exe
1⤵
PID:16524

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7U2DS24N\XX0BVHJR.htm

Filesize
153KB

MD5
9cd4d47d10a069c401cad9f0af2d45bc

SHA1
531b561748438170d4b43febb76ac4d0dd9f7af5

SHA256
5b58fd5d4ba2169f43dc25dcfc62b7481cbc6cbc9107e6093f54d1e55b49f5b4

SHA512
52914493d7a23881569525a9d4b8e442a240e37bc9bc92e9a150d9ac7452169bca11d423efbe42010be33decbb895dedb96b082373f4aaa464db01eada774d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7U2DS24N\search[2].htm

Filesize
115KB

MD5
3cd55d2d7d276072c6a32d14b6ea79c2

SHA1
9ba4c12dcd459e3a49de343eae7180fca4c68d9b

SHA256
60297f64d8586fb87b6b9ebb8f6eba2d4c2ced6053129b746ee797fa226b0490

SHA512
bfacd53bbfefab4d1bcb19772630ac0a73229b04f690bde245eedb0cd1603c19217f643dbf2c6046dfc995a38c9099878289d5a33392374e9ef66b508389741b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\search[2].htm

Filesize
183KB

MD5
0a968f50617f207f9f8c6179e21c9884

SHA1
646a9ed361de007a48ca3e3ee7bcc9c48830c351

SHA256
04e571f26559cafabbf10b1b34150dbf144402f4fff694a0f6902365bd94abbc

SHA512
2797541f1f6e98d3089ed970adecc923d60e63c13f2862a89b5f81c4505c61e5354785165146c3c3422f8b7851fde3338d1239748df7e3de0d1740d1cf54d2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\search[4].htm

Filesize
183KB

MD5
ffc6b13dbce5dcd5236c100547cf7f55

SHA1
aff7b5ebba65a41e3d4aeed7c62402893c122494

SHA256
9ce9eb390555130724374749175e9fa5908693d726e5f4e0ec2bcbf9f59d4f4b

SHA512
73170e7dc4a059a2dfc5ae8a793d9e6f2141f4e75eaaf81f1ed15c1c95ffaa561dd4985b88d6c7cb2c86b61d3198ab054dc553298200a66201d6eefdc7d78ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH2PF5WH\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\omdf0ck.log

Filesize
1KB

MD5
111620ebfe90480f3f986e87eed8ce23

SHA1
5667526aedfe9036833986352b91a1d854f052fe

SHA256
6e33a32deec6ca64259ebbc3290c238f5da5700e4e5cb86bf02cbf6aebe0a55d

SHA512
918911d22a6f3a62ba86639ed4ec17ae14a1762b746d878b1a54f71a962d6e904c859dbc9b4306345502731fdc04449871b15df57621902eda21f732df75afa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE34B.tmp

Filesize
28KB

MD5
32d0fa89487e2e7a5eee91a291ebc099

SHA1
46febcad6599bdabd696c15fafc9b09a09116e86

SHA256
034dd2c3fb47f3274a43bd3a56fc2278392cef350500fa11d49656e55db93a96

SHA512
fdad7da92102b0f6738082a41cae2debb0d33ff9e184f870a5581f5389a71e36a2c56278cfb03ed61afa19bde06d17677ec4d9e6f74cc79917993c68811b9f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
32B

MD5
4703521edfde49d51b5108705fc901e9

SHA1
4fc421d260e56b1f6d5794119e8413af78eba3b7

SHA256
945caf57801df41faf716224af55ea6ca335f0858a23c9bb32e313b07b4dbe3e

SHA512
f39e48a2ef7b20ba3fab5e9d7764be0805e1504ba864f2c7f11008f6aeffd10ef993db67f5ed1915e81fe031d13c0f5d196efeb0f9c135660d1d0951b055d13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d30ce2f155a215bf93e6acd18b82ed0f

SHA1
be3aa13fa8acb0d9ab250b2885a7b1142722a55f

SHA256
4e64e3a98f21382ec5cc39c1ad6937d3580f2938fe4eaf942125bf54baa79fe2

SHA512
f9325674475cc37dd39c00a53c778e2aa97ab43fe2b8fd31050f1c2e459d27b42f28783e4d03edcad322da3575c6e1fa1b5a21c615ebc2d80053c62b6d9ce9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
289cc4c2af264b5028c9d56cf809f898

SHA1
b6f897946479581c0699295ff3f835eeea2a00eb

SHA256
d06672f35bcac5d09f03fac0073fc319a74d50394e4f47c7f899f0c1416765b9

SHA512
3d459bcb3ce934e83c9fb4a7cfc8cf0b3263bc524aadbd1d3afe967dbeee48210267ea157bf8635ba453a8f6e498656d30abc887cb942aa6b2d719ecaf6533b6

Download Submit
C:\Windows\java.exe

Filesize
28KB

MD5
b42ccd13b77d2b29471adfa27a6ec39c

SHA1
c8384e3925241de0440ca6807829e9cb7c0d0d3b

SHA256
0e66dc39801a53ca8a51e3e1f9bfb896f7cefb71b3438b1d590480d0600c3fde

SHA512
14ac9ac914c17c709d4a32faa20a23b0a0a24bfbd1fc7901b11620dabfc3d14efbec6f8c333d4843a5942189bd3fe32619a925250177e2c5bd020a4174221472

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/892-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/892-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1056-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1056-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1260-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1300-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1572-110-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1752-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1840-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1840-129-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1980-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2256-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2660-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2720-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2840-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2840-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3164-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3188-98-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3736-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3736-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3880-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3904-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3908-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4076-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4380-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4512-162-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4564-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4792-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4812-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4828-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4904-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4916-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4980-33-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4992-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5028-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5028-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-288-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-634-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-503-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-541-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5304-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5476-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5516-107-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5516-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5548-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5552-135-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5604-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5684-44-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5684-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5784-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5968-653-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5968-51-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5968-542-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5968-516-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/6080-123-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6084-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6180-164-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6232-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6324-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6332-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6404-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6436-173-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6452-190-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6580-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6580-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6608-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6636-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6812-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6896-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6912-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6912-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6920-208-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6920-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6976-195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7028-192-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7028-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7192-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7252-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7320-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7328-201-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7388-232-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7456-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7496-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7708-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7716-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7716-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7832-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7832-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7852-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7968-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8048-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8048-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8108-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8208-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8228-238-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8504-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/13824-532-0x00007FF681990000-0x00007FF6819F7000-memory.dmp

Filesize
412KB

Download
memory/14344-502-0x00007FFE3C860000-0x00007FFE3CBB5000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads