b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68

General

Target

applecleanS3.exe
Size

3.2MB
MD5

74786746eb93c662f2c9aa16806b8025
SHA1

9c06dd24a00877c25a84403f2c076b0801bd443e
SHA256

b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
SHA512

0f612d2b08a92a67531d59077356e06f9df6e18c53356cf2d53ca369265f3f0a0b2f0a8828b06c805a9b206304e499ff1c842eddb285a029d2f0ce86a71be236

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

applecleanS3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleanS3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleanS3.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2816-115-0x00007FF633A40000-0x00007FF634316000-memory.dmp	themida
behavioral2/memory/2816-116-0x00007FF633A40000-0x00007FF634316000-memory.dmp	themida
behavioral2/memory/2816-117-0x00007FF633A40000-0x00007FF634316000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

applecleanS3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleanS3.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

applecleanS3.exe

pid process

2816 applecleanS3.exe
Drops file in Windows directory 2 IoCs

Processes:

applecleanS3.exe

description ioc process

File created C:\Windows\IME\devcon.exe applecleanS3.exe
File created C:\Windows\IME\network.bat applecleanS3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleanS3.exe

pid	process
2816	applecleanS3.exe

description	ioc	process
File created	C:\Windows\IME\devcon.exe	applecleanS3.exe
File created	C:\Windows\IME\network.bat	applecleanS3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-3922356329505"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-392-23563-2950531378"	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-395-1543-1460122673"	reg.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2532	taskkill.exe
1552	taskkill.exe
2392	taskkill.exe
2156	taskkill.exe
816	taskkill.exe
2832	taskkill.exe
2356	taskkill.exe
2880	taskkill.exe
3556	taskkill.exe
1716	taskkill.exe
3160	taskkill.exe
1836	taskkill.exe
1480	taskkill.exe
3268	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 3981229132465139681914492041597517542318	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe

Modifies registry class 5 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Interface\ClsidStore = 03981229132465139681914492041597517542318181723123011074	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Installer\Dependencies\MSICache = 39812291324651396819144920415975175423181817231230	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3240	reg.exe
1452	reg.exe
1720	reg.exe
2396	reg.exe
584	reg.exe
60	reg.exe
2272	reg.exe
1376	reg.exe
4088	reg.exe
1172	reg.exe
904	reg.exe
2880	reg.exe
2212	reg.exe
1260	reg.exe
64	reg.exe
1552	reg.exe
1724	reg.exe
1924	reg.exe
3548	reg.exe
2208	reg.exe
1548	reg.exe
1920	reg.exe
2072	reg.exe
3904	reg.exe
1348	reg.exe
2156	reg.exe
364	reg.exe
2468	reg.exe
860	reg.exe
3492	reg.exe
2844	reg.exe
2380	reg.exe
1356	reg.exe
676	reg.exe
3640	reg.exe
3892	reg.exe
1900	reg.exe
2932	reg.exe
3292	reg.exe
3624	reg.exe
1364	reg.exe
584	reg.exe
1148	reg.exe
3112	reg.exe
1232	reg.exe
296	reg.exe
2076	reg.exe
3180	reg.exe
3652	reg.exe
2424	reg.exe
2244	reg.exe
1260	reg.exe
368	reg.exe
1344	reg.exe
3804	reg.exe
3180	reg.exe
3996	reg.exe
1536	reg.exe
1792	reg.exe
828	reg.exe
996	reg.exe
1804	reg.exe
3856	reg.exe
588	reg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

applecleanS3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 516	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 516	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 656	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 656	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 1316	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 1316	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 676	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 676	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2960	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2960	2816	applecleanS3.exe	cmd.exe
PID 2960 wrote to memory of 816	2960	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 816	2960	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 3540	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 3540	2816	applecleanS3.exe	cmd.exe
PID 3540 wrote to memory of 3268	3540	cmd.exe	taskkill.exe
PID 3540 wrote to memory of 3268	3540	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2456	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2456	2816	applecleanS3.exe	cmd.exe
PID 2456 wrote to memory of 2880	2456	cmd.exe	taskkill.exe
PID 2456 wrote to memory of 2880	2456	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 4064	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 4064	2816	applecleanS3.exe	cmd.exe
PID 4064 wrote to memory of 1836	4064	cmd.exe	taskkill.exe
PID 4064 wrote to memory of 1836	4064	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 600	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 600	2816	applecleanS3.exe	cmd.exe
PID 600 wrote to memory of 2832	600	cmd.exe	taskkill.exe
PID 600 wrote to memory of 2832	600	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 3200	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 3200	2816	applecleanS3.exe	cmd.exe
PID 3200 wrote to memory of 3160	3200	cmd.exe	taskkill.exe
PID 3200 wrote to memory of 3160	3200	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2640	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2640	2816	applecleanS3.exe	cmd.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2860	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2860	2816	applecleanS3.exe	cmd.exe
PID 2860 wrote to memory of 1552	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1552	2860	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 3972	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 3972	2816	applecleanS3.exe	cmd.exe
PID 3972 wrote to memory of 1480	3972	cmd.exe	taskkill.exe
PID 3972 wrote to memory of 1480	3972	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 1068	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 1068	2816	applecleanS3.exe	cmd.exe
PID 1068 wrote to memory of 2392	1068	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 2392	1068	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 1356	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 1356	2816	applecleanS3.exe	cmd.exe
PID 1356 wrote to memory of 3556	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 3556	1356	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2296	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 2296	2816	applecleanS3.exe	cmd.exe
PID 2296 wrote to memory of 1716	2296	cmd.exe	taskkill.exe
PID 2296 wrote to memory of 1716	2296	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 1924	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 1924	2816	applecleanS3.exe	cmd.exe
PID 1924 wrote to memory of 2156	1924	cmd.exe	taskkill.exe
PID 1924 wrote to memory of 2156	1924	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 3772	2816	applecleanS3.exe	cmd.exe
PID 2816 wrote to memory of 3772	2816	applecleanS3.exe	cmd.exe
PID 3772 wrote to memory of 2356	3772	cmd.exe	taskkill.exe
PID 3772 wrote to memory of 2356	3772	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\applecleanS3.exe
"C:\Users\Admin\AppData\Local\Temp\applecleanS3.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0b
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:3376

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:2976

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:996

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-392 /f
3⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1980

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-392 /f
3⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:2164

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple392-23563-29505-31378 /f
3⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
2⤵
PID:2588

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-392-%random} /f
3⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:1676

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-3922356329505 /f
3⤵
- Modifies registry key
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
2⤵
PID:3548

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-392 /f
3⤵
- Modifies registry key
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
2⤵
PID:1328

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-392 /f
3⤵
- Modifies registry key
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:676

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-3922356329505 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:3492

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-392-23563-2950531378} /f
3⤵
- Modifies registry key
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:2956

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-392-23563-2950531378} /f
3⤵
- Modifies registry key
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-392-23563-2950531378} /f
3⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:2584

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1564

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
- Modifies registry key
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1836

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3652

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
- Modifies registry key
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3624

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
- Modifies registry key
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:60

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-392-23563-2950531378 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3184

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:2372

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-395-1543-1460122673} /f
3⤵
- Modifies registry key
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:668

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-395-1543-1460122673} /f
3⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1364

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-395 /f
3⤵
- Modifies registry key
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
2⤵
PID:1052

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 395 /f
3⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:828

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 395 /f
3⤵
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1148

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-395 /f
3⤵
- Modifies registry key
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
2⤵
PID:2380

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple395-1543-14601-226738830} /f
3⤵
- Modifies registry key
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:1404

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple395-1543-14601-226738830} /f
3⤵
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:1356

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 395 /f
3⤵
- Modifies registry key
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:4092

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 395 /f
3⤵
- Modifies registry key
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:2080

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 395 /f
3⤵
- Modifies registry key
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2156

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 395-1543-14601-22673 /f
3⤵
- Modifies registry key
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:3112

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple395-1543-14601-22673 /f
3⤵
- Modifies registry key
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
2⤵
PID:2208

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple395 /f
3⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:3240

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 395 /f
3⤵
- Modifies registry key
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:1232

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 395 /f
3⤵
- Modifies registry key
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
2⤵
PID:2212

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple395-1543-14601-22673} /f
3⤵
- Modifies registry key
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:996

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 395-1543-14601-226738830 /f
3⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:2396

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:2424

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:1548

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:3832

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:3848

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:584

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:2652

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:1176

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:676

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
2⤵
PID:364

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
- Modifies registry key
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
- Modifies registry key
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1824

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
- Modifies registry key
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
- Modifies registry key
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:1804

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1260

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:2076

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-395-1543-1460122673 /f
3⤵
- Modifies registry key
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3804

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
- Modifies registry key
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:3180

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:368

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:2468

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:3676

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
2⤵
PID:1552

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
- Modifies registry key
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:980

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 3981229132465139681914492041597517542318181723123011074 /f
3⤵
- Modifies registry class
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1116

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
- Modifies registry key
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:3892

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
- Modifies registry key
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1376

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
- Modifies registry key
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:1524

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1900

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
- Modifies registry key
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1724

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-398-12291-3246513968 /f
3⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
2⤵
PID:2072

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
2⤵
PID:1924

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
- Modifies registry key
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
2⤵
PID:3996

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
- Modifies registry key
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:3596

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
- Modifies registry key
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
2⤵
PID:3904

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
- Modifies registry key
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
2⤵
PID:3292

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
- Modifies registry key
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1668

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
- Modifies registry key
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
2⤵
PID:4044

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
3⤵
- Modifies registry key
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
2⤵
PID:4088

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
- Checks processor information in registry
- Modifies registry key
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
2⤵
PID:2412

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
3⤵
- Modifies registry key
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
3⤵
- Modifies registry key
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
2⤵
PID:3896

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
3⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
3⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
2⤵
PID:3548

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
3⤵
- Modifies registry key
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 3981229132465139681914492041597517542318181723123011074 /f
3⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2272

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 39812291324651396819144920415975175423181817231230 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:860

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 398122913246513968191449204159751754231818172 /f
3⤵
- Modifies registry key
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3492

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 3981229132465139681914492041597517542318181723123011074 /f
3⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1344

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 3981229132465139681914492041597517542318181723123011074 /f
3⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2844

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 3981229132465139681914492041597517542318 /f
3⤵
- Modifies Internet Explorer settings
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:2880

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 3981229132465 /f
3⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:712

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 3981229132465 /f
3⤵
- Modifies registry key
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1236

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 3981229132465 /f
3⤵
- Modifies registry key
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1792

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 3981229132465 /f
3⤵
- Modifies registry key
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3652

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 402230401756252642945913131190883159418830120243108311119 /f
3⤵
- Modifies registry key
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
2⤵
PID:3624

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.402.23040-17562_526429459 /f
3⤵
- Modifies registry key
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
2⤵
PID:344

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {402-23040-17562-5264} /f
3⤵
- Modifies registry key
PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
2⤵
PID:3184

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
3⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-175-0x0000000000000000-mapping.dmp

Download
memory/364-173-0x0000000000000000-mapping.dmp

Download
memory/516-118-0x0000000000000000-mapping.dmp

Download
memory/584-167-0x0000000000000000-mapping.dmp

Download
memory/588-169-0x0000000000000000-mapping.dmp

Download
memory/600-130-0x0000000000000000-mapping.dmp

Download
memory/656-119-0x0000000000000000-mapping.dmp

Download
memory/676-121-0x0000000000000000-mapping.dmp

Download
memory/676-170-0x0000000000000000-mapping.dmp

Download
memory/816-123-0x0000000000000000-mapping.dmp

Download
memory/996-156-0x0000000000000000-mapping.dmp

Download
memory/1068-140-0x0000000000000000-mapping.dmp

Download
memory/1260-181-0x0000000000000000-mapping.dmp

Download
memory/1316-120-0x0000000000000000-mapping.dmp

Download
memory/1328-168-0x0000000000000000-mapping.dmp

Download
memory/1356-142-0x0000000000000000-mapping.dmp

Download
memory/1452-155-0x0000000000000000-mapping.dmp

Download
memory/1480-139-0x0000000000000000-mapping.dmp

Download
memory/1536-163-0x0000000000000000-mapping.dmp

Download
memory/1552-137-0x0000000000000000-mapping.dmp

Download
memory/1564-180-0x0000000000000000-mapping.dmp

Download
memory/1664-179-0x0000000000000000-mapping.dmp

Download
memory/1676-164-0x0000000000000000-mapping.dmp

Download
memory/1716-145-0x0000000000000000-mapping.dmp

Download
memory/1836-129-0x0000000000000000-mapping.dmp

Download
memory/1924-146-0x0000000000000000-mapping.dmp

Download
memory/1980-158-0x0000000000000000-mapping.dmp

Download
memory/2156-147-0x0000000000000000-mapping.dmp

Download
memory/2164-160-0x0000000000000000-mapping.dmp

Download
memory/2244-153-0x0000000000000000-mapping.dmp

Download
memory/2272-171-0x0000000000000000-mapping.dmp

Download
memory/2296-144-0x0000000000000000-mapping.dmp

Download
memory/2356-149-0x0000000000000000-mapping.dmp

Download
memory/2392-141-0x0000000000000000-mapping.dmp

Download
memory/2456-126-0x0000000000000000-mapping.dmp

Download
memory/2532-135-0x0000000000000000-mapping.dmp

Download
memory/2584-178-0x0000000000000000-mapping.dmp

Download
memory/2588-162-0x0000000000000000-mapping.dmp

Download
memory/2640-134-0x0000000000000000-mapping.dmp

Download
memory/2816-117-0x00007FF633A40000-0x00007FF634316000-memory.dmp

Filesize
8.8MB

Download
memory/2816-115-0x00007FF633A40000-0x00007FF634316000-memory.dmp

Filesize
8.8MB

Download
memory/2816-116-0x00007FF633A40000-0x00007FF634316000-memory.dmp

Filesize
8.8MB

Download
memory/2832-131-0x0000000000000000-mapping.dmp

Download
memory/2860-136-0x0000000000000000-mapping.dmp

Download
memory/2880-127-0x0000000000000000-mapping.dmp

Download
memory/2932-150-0x0000000000000000-mapping.dmp

Download
memory/2956-174-0x0000000000000000-mapping.dmp

Download
memory/2960-122-0x0000000000000000-mapping.dmp

Download
memory/2976-154-0x0000000000000000-mapping.dmp

Download
memory/2980-157-0x0000000000000000-mapping.dmp

Download
memory/3160-133-0x0000000000000000-mapping.dmp

Download
memory/3200-132-0x0000000000000000-mapping.dmp

Download
memory/3240-151-0x0000000000000000-mapping.dmp

Download
memory/3264-176-0x0000000000000000-mapping.dmp

Download
memory/3268-125-0x0000000000000000-mapping.dmp

Download
memory/3376-152-0x0000000000000000-mapping.dmp

Download
memory/3492-172-0x0000000000000000-mapping.dmp

Download
memory/3540-124-0x0000000000000000-mapping.dmp

Download
memory/3540-177-0x0000000000000000-mapping.dmp

Download
memory/3548-166-0x0000000000000000-mapping.dmp

Download
memory/3556-143-0x0000000000000000-mapping.dmp

Download
memory/3560-159-0x0000000000000000-mapping.dmp

Download
memory/3772-148-0x0000000000000000-mapping.dmp

Download
memory/3824-161-0x0000000000000000-mapping.dmp

Download
memory/3856-165-0x0000000000000000-mapping.dmp

Download
memory/3972-138-0x0000000000000000-mapping.dmp

Download
memory/4064-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads