f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
31s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/AppleS5-DEL.exe
Size

3.1MB
MD5

6af7ea6d60309e7a05339a72accc2074
SHA1

1ccfcccae4a481c29c8b142715a9dee070918df9
SHA256

eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
SHA512

bd5e87af04689d7ba11f4d08dae3396de3260d0af8d5813a664bce4b4105f1721b2cbddfc3c8bfb1013f357581b2841790ae523213fa5487c9b39b12198bdc2d
SSDEEP

49152:WMn54uFpQJqpleSBtthqtwRTJP8fOa9pu75KEpIj4ZVCbshPW6G9VSpnZ:AJmeqt31qOaPIUEnbOePWv3gZ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AppleS5-DEL.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppleS5-DEL.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5080 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppleS5-DEL.exe

pid	process
5080	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppleS5-DEL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppleS5-DEL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppleS5-DEL.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/5108-133-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp	themida
behavioral4/memory/5108-134-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp	themida
behavioral4/memory/5108-135-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp	themida
behavioral4/memory/5108-139-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AppleS5-DEL.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppleS5-DEL.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AppleS5-DEL.exe

pid process

5108 AppleS5-DEL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppleS5-DEL.exe

pid	process
5108	AppleS5-DEL.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-107531261228162"	reg.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

1880 ipconfig.exe
3192 ipconfig.exe
4592 ipconfig.exe

pid	process
1880	ipconfig.exe
3192	ipconfig.exe
4592	ipconfig.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3456	taskkill.exe
3144	taskkill.exe
4448	taskkill.exe
628	taskkill.exe
2148	taskkill.exe
4424	taskkill.exe
1424	taskkill.exe
4804	taskkill.exe
2660	taskkill.exe
5044	taskkill.exe
5100	taskkill.exe
1812	taskkill.exe
1732	taskkill.exe
1908	taskkill.exe

Modifies registry class 2 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Interface\ClsidStore = 1075723361132581789323326737026607228981683628974333020926	reg.exe

Modifies registry key 1 TTPs 25 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4564	reg.exe
388	reg.exe
948	reg.exe
4284	reg.exe
3264	reg.exe
1556	reg.exe
3676	reg.exe
4116	reg.exe
4160	reg.exe
1520	reg.exe
2080	reg.exe
1336	reg.exe
3828	reg.exe
3368	reg.exe
544	reg.exe
4876	reg.exe
4736	reg.exe
636	reg.exe
4084	reg.exe
1964	reg.exe
2332	reg.exe
3156	reg.exe
4804	reg.exe
2792	reg.exe
1448	reg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AppleS5-DEL.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 4564	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4564	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4160	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4160	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4632	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4632	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4580	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4580	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4000	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4000	5108	AppleS5-DEL.exe	cmd.exe
PID 4000 wrote to memory of 3456	4000	cmd.exe	taskkill.exe
PID 4000 wrote to memory of 3456	4000	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 1064	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 1064	5108	AppleS5-DEL.exe	cmd.exe
PID 1064 wrote to memory of 3144	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 3144	1064	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 1964	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 1964	5108	AppleS5-DEL.exe	cmd.exe
PID 1964 wrote to memory of 5044	1964	cmd.exe	taskkill.exe
PID 1964 wrote to memory of 5044	1964	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 2072	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 2072	5108	AppleS5-DEL.exe	cmd.exe
PID 2072 wrote to memory of 1424	2072	cmd.exe	taskkill.exe
PID 2072 wrote to memory of 1424	2072	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 2160	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 2160	5108	AppleS5-DEL.exe	cmd.exe
PID 2160 wrote to memory of 2148	2160	cmd.exe	taskkill.exe
PID 2160 wrote to memory of 2148	2160	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 2340	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 2340	5108	AppleS5-DEL.exe	cmd.exe
PID 2340 wrote to memory of 4448	2340	cmd.exe	taskkill.exe
PID 2340 wrote to memory of 4448	2340	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 3844	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 3844	5108	AppleS5-DEL.exe	cmd.exe
PID 3844 wrote to memory of 4804	3844	cmd.exe	taskkill.exe
PID 3844 wrote to memory of 4804	3844	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 5112	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 5112	5108	AppleS5-DEL.exe	cmd.exe
PID 5112 wrote to memory of 628	5112	cmd.exe	taskkill.exe
PID 5112 wrote to memory of 628	5112	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 1216	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 1216	5108	AppleS5-DEL.exe	cmd.exe
PID 1216 wrote to memory of 5100	1216	cmd.exe	taskkill.exe
PID 1216 wrote to memory of 5100	1216	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 1000	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 1000	5108	AppleS5-DEL.exe	cmd.exe
PID 1000 wrote to memory of 1812	1000	cmd.exe	taskkill.exe
PID 1000 wrote to memory of 1812	1000	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 3928	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 3928	5108	AppleS5-DEL.exe	cmd.exe
PID 3928 wrote to memory of 1732	3928	cmd.exe	taskkill.exe
PID 3928 wrote to memory of 1732	3928	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 4280	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 4280	5108	AppleS5-DEL.exe	cmd.exe
PID 4280 wrote to memory of 1908	4280	cmd.exe	taskkill.exe
PID 4280 wrote to memory of 1908	4280	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 3872	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 3872	5108	AppleS5-DEL.exe	cmd.exe
PID 3872 wrote to memory of 2660	3872	cmd.exe	taskkill.exe
PID 3872 wrote to memory of 2660	3872	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 3128	5108	AppleS5-DEL.exe	cmd.exe
PID 5108 wrote to memory of 3128	5108	AppleS5-DEL.exe	cmd.exe
PID 3128 wrote to memory of 4424	3128	cmd.exe	taskkill.exe
PID 3128 wrote to memory of 4424	3128	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\AppleS5-DEL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0b
2⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
4⤵
- Modifies registry key
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:824

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:1736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:5088

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:4912

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-10753 /f
3⤵
- Modifies registry key
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:448

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-10753 /f
3⤵
- Modifies registry key
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:1016

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-107531261228162 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
2⤵
PID:2664

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple10753-12612-28162-2659713011} /f
3⤵
- Modifies registry key
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:2304

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple10753-12612-28162-2659713011} /f
3⤵
- Modifies registry key
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:316

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 10753-12612-28162-26597 /f
3⤵
- Modifies registry key
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple10753-12612-28162-26597 /f
3⤵
- Modifies registry key
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:4584

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
- Modifies registry key
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
2⤵
PID:488

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games /f
3⤵
- Modifies registry key
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
2⤵
PID:3484

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
2⤵
PID:3968

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
3⤵
- Modifies registry key
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:4580

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:964

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:4544

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:444

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2164

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:4824

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-10757-23361-1325817893 /f
3⤵
- Modifies registry key
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:2132

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-10757-23361-1325817893 /f
3⤵
- Modifies registry key
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:4140

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
- Modifies registry key
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2136

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f
3⤵
- Modifies registry key
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3844

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f
3⤵
- Modifies registry key
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
2⤵
PID:1400

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
3⤵
- Modifies registry key
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset
2⤵
PID:3364

C:\Windows\system32\netsh.exe
netsh winsock reset
3⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ip reset
2⤵
PID:3928

C:\Windows\system32\netsh.exe
netsh int ip reset
3⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset
2⤵
PID:3684

C:\Windows\system32\netsh.exe
netsh advfirewall reset
3⤵
- Modifies Windows Firewall
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:2080

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release
2⤵
PID:3564

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew
2⤵
PID:2016

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c arp -d
2⤵
PID:4924

C:\Windows\system32\ARP.EXE
arp -d
3⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
2⤵
PID:2004

C:\Windows\system32\netsh.exe
netsh interface ip delete arpcache
3⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe
2⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe
2⤵
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5108-133-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp

Filesize
8.7MB

Download
memory/5108-134-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp

Filesize
8.7MB

Download
memory/5108-135-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp

Filesize
8.7MB

Download
memory/5108-139-0x00007FF6255F0000-0x00007FF625EAD000-memory.dmp

Filesize
8.7MB

Download