db4e12073c2200c86e5f1dda3adf7633357906e2bb97853dac9876680cd44d6c

Analysis

max time kernel
77s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monotone-HWID-Spoofer-0.0.1/Monotone.exe
Size

160KB
MD5

cd6cddac2686df01814705f21e6da343
SHA1

f29ad4efdc160ffba5cb63e01349ec9b84123e30
SHA256

0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992
SHA512

a673d521f316d3e0fa87a99effa33c5dc4fde315e72b7f6cbb828a94ffe8ebeed4bf9ca6fe858b3c69327aa4ce05ae02b37e2a392abb7cc728c4bbe2ab9a6de4
SSDEEP

3072:yuo1MlSEqhqJhJy0WTHW69B9VjMdxPedN9ug0/9TBfsdZK0:y5oaqJhJMHW69B9VjMdxPedN9ug0/9Tk

Score

7^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

discovery

Process Discovery

T1057

pid	Process
4840	tasklist.exe
2076	tasklist.exe
3544	tasklist.exe
2324	tasklist.exe
1668	tasklist.exe
4232	tasklist.exe
3036	tasklist.exe
3148	tasklist.exe
5016	tasklist.exe
704	tasklist.exe
2324	tasklist.exe
4384	tasklist.exe
2964	tasklist.exe
1864	tasklist.exe
344	tasklist.exe
3544	tasklist.exe
1076	tasklist.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	batbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetInput.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 17 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1080	PING.EXE
644	PING.EXE
660	PING.EXE
4716	PING.EXE
1508	PING.EXE
4688	PING.EXE
3116	PING.EXE
2176	PING.EXE
3240	PING.EXE
2688	PING.EXE
3352	PING.EXE
4464	PING.EXE
1248	PING.EXE
2268	PING.EXE
4444	PING.EXE
1144	PING.EXE
4812	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Adapters.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Adapters.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Adapters.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Adapters.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 17 IoCs

Remote System Discovery

T1018

pid	Process
1248	PING.EXE
3352	PING.EXE
1080	PING.EXE
4716	PING.EXE
1508	PING.EXE
644	PING.EXE
4444	PING.EXE
4464	PING.EXE
2268	PING.EXE
2176	PING.EXE
3240	PING.EXE
660	PING.EXE
4688	PING.EXE
3116	PING.EXE
2688	PING.EXE
1144	PING.EXE
4812	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	powershell.exe
2124	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4772	WMIC.exe
Token: SeSecurityPrivilege	4772	WMIC.exe
Token: SeTakeOwnershipPrivilege	4772	WMIC.exe
Token: SeLoadDriverPrivilege	4772	WMIC.exe
Token: SeSystemProfilePrivilege	4772	WMIC.exe
Token: SeSystemtimePrivilege	4772	WMIC.exe
Token: SeProfSingleProcessPrivilege	4772	WMIC.exe
Token: SeIncBasePriorityPrivilege	4772	WMIC.exe
Token: SeCreatePagefilePrivilege	4772	WMIC.exe
Token: SeBackupPrivilege	4772	WMIC.exe
Token: SeRestorePrivilege	4772	WMIC.exe
Token: SeShutdownPrivilege	4772	WMIC.exe
Token: SeDebugPrivilege	4772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4772	WMIC.exe
Token: SeRemoteShutdownPrivilege	4772	WMIC.exe
Token: SeUndockPrivilege	4772	WMIC.exe
Token: SeManageVolumePrivilege	4772	WMIC.exe
Token: 33	4772	WMIC.exe
Token: 34	4772	WMIC.exe
Token: 35	4772	WMIC.exe
Token: 36	4772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4772	WMIC.exe
Token: SeSecurityPrivilege	4772	WMIC.exe
Token: SeTakeOwnershipPrivilege	4772	WMIC.exe
Token: SeLoadDriverPrivilege	4772	WMIC.exe
Token: SeSystemProfilePrivilege	4772	WMIC.exe
Token: SeSystemtimePrivilege	4772	WMIC.exe
Token: SeProfSingleProcessPrivilege	4772	WMIC.exe
Token: SeIncBasePriorityPrivilege	4772	WMIC.exe
Token: SeCreatePagefilePrivilege	4772	WMIC.exe
Token: SeBackupPrivilege	4772	WMIC.exe
Token: SeRestorePrivilege	4772	WMIC.exe
Token: SeShutdownPrivilege	4772	WMIC.exe
Token: SeDebugPrivilege	4772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4772	WMIC.exe
Token: SeRemoteShutdownPrivilege	4772	WMIC.exe
Token: SeUndockPrivilege	4772	WMIC.exe
Token: SeManageVolumePrivilege	4772	WMIC.exe
Token: 33	4772	WMIC.exe
Token: 34	4772	WMIC.exe
Token: 35	4772	WMIC.exe
Token: 36	4772	WMIC.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	4232	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4868	WMIC.exe
Token: SeSecurityPrivilege	4868	WMIC.exe
Token: SeTakeOwnershipPrivilege	4868	WMIC.exe
Token: SeLoadDriverPrivilege	4868	WMIC.exe
Token: SeSystemProfilePrivilege	4868	WMIC.exe
Token: SeSystemtimePrivilege	4868	WMIC.exe
Token: SeProfSingleProcessPrivilege	4868	WMIC.exe
Token: SeIncBasePriorityPrivilege	4868	WMIC.exe
Token: SeCreatePagefilePrivilege	4868	WMIC.exe
Token: SeBackupPrivilege	4868	WMIC.exe
Token: SeRestorePrivilege	4868	WMIC.exe
Token: SeShutdownPrivilege	4868	WMIC.exe
Token: SeDebugPrivilege	4868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4868	WMIC.exe
Token: SeRemoteShutdownPrivilege	4868	WMIC.exe
Token: SeUndockPrivilege	4868	WMIC.exe
Token: SeManageVolumePrivilege	4868	WMIC.exe
Token: 33	4868	WMIC.exe
Token: 34	4868	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4576	3704	Monotone.exe	82
PID 3704 wrote to memory of 4576	3704	Monotone.exe	82
PID 4576 wrote to memory of 3256	4576	cmd.exe	84
PID 4576 wrote to memory of 3256	4576	cmd.exe	84
PID 4576 wrote to memory of 1080	4576	cmd.exe	85
PID 4576 wrote to memory of 1080	4576	cmd.exe	85
PID 4576 wrote to memory of 2044	4576	cmd.exe	88
PID 4576 wrote to memory of 2044	4576	cmd.exe	88
PID 4576 wrote to memory of 4756	4576	cmd.exe	89
PID 4576 wrote to memory of 4756	4576	cmd.exe	89
PID 4576 wrote to memory of 4756	4576	cmd.exe	89
PID 4576 wrote to memory of 3528	4576	cmd.exe	90
PID 4576 wrote to memory of 3528	4576	cmd.exe	90
PID 4576 wrote to memory of 3528	4576	cmd.exe	90
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 4576 wrote to memory of 1668	4576	cmd.exe	93
PID 4576 wrote to memory of 1668	4576	cmd.exe	93
PID 4576 wrote to memory of 2268	4576	cmd.exe	94
PID 4576 wrote to memory of 2268	4576	cmd.exe	94
PID 4576 wrote to memory of 2096	4576	cmd.exe	96
PID 4576 wrote to memory of 2096	4576	cmd.exe	96
PID 4576 wrote to memory of 4500	4576	cmd.exe	97
PID 4576 wrote to memory of 4500	4576	cmd.exe	97
PID 4500 wrote to memory of 4772	4500	cmd.exe	98
PID 4500 wrote to memory of 4772	4500	cmd.exe	98
PID 4576 wrote to memory of 2396	4576	cmd.exe	99
PID 4576 wrote to memory of 2396	4576	cmd.exe	99
PID 2396 wrote to memory of 2752	2396	cmd.exe	100
PID 2396 wrote to memory of 2752	2396	cmd.exe	100
PID 4576 wrote to memory of 3508	4576	cmd.exe	101
PID 4576 wrote to memory of 3508	4576	cmd.exe	101
PID 3508 wrote to memory of 2028	3508	cmd.exe	102
PID 3508 wrote to memory of 2028	3508	cmd.exe	102
PID 4576 wrote to memory of 2212	4576	cmd.exe	103
PID 4576 wrote to memory of 2212	4576	cmd.exe	103
PID 2212 wrote to memory of 2584	2212	cmd.exe	104
PID 2212 wrote to memory of 2584	2212	cmd.exe	104
PID 4576 wrote to memory of 1608	4576	cmd.exe	105
PID 4576 wrote to memory of 1608	4576	cmd.exe	105
PID 1608 wrote to memory of 4952	1608	cmd.exe	106
PID 1608 wrote to memory of 4952	1608	cmd.exe	106
PID 4576 wrote to memory of 4612	4576	cmd.exe	107
PID 4576 wrote to memory of 4612	4576	cmd.exe	107
PID 4612 wrote to memory of 1496	4612	cmd.exe	108
PID 4612 wrote to memory of 1496	4612	cmd.exe	108
PID 4576 wrote to memory of 1312	4576	cmd.exe	109
PID 4576 wrote to memory of 1312	4576	cmd.exe	109
PID 1312 wrote to memory of 2508	1312	cmd.exe	110
PID 1312 wrote to memory of 2508	1312	cmd.exe	110
PID 4576 wrote to memory of 2992	4576	cmd.exe	111
PID 4576 wrote to memory of 2992	4576	cmd.exe	111
PID 2992 wrote to memory of 1072	2992	cmd.exe	112
PID 2992 wrote to memory of 1072	2992	cmd.exe	112
PID 4576 wrote to memory of 4312	4576	cmd.exe	113
PID 4576 wrote to memory of 4312	4576	cmd.exe	113
PID 4312 wrote to memory of 632	4312	cmd.exe	114
PID 4312 wrote to memory of 632	4312	cmd.exe	114
PID 4576 wrote to memory of 3032	4576	cmd.exe	115
PID 4576 wrote to memory of 3032	4576	cmd.exe	115
PID 4576 wrote to memory of 3032	4576	cmd.exe	115
PID 4576 wrote to memory of 5096	4576	cmd.exe	116
PID 4576 wrote to memory of 5096	4576	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Monotone.exe
"C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Monotone.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\96A2.tmp\96A3.tmp\96A4.bat C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Monotone.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\mode.com
    mode 80,20
    3⤵
    PID:3256
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\colorecho-vc10-x86_64.exe
    colorecho-vc10-x86_64.exe " Monotone" 1
    3⤵
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 21 17 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 21 16 /a 32 /d " " /a 32 /g 21 15 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 23 16 /c 0xf0 /d " Enter " /c 0x07
    3⤵
    PID:3528
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 21 15 39 17 /H 70 70
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- - C:\Windows\system32\tasklist.exe
    tasklist /NH /FI "imagename eq Block.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\find.exe
    find /i "Block.exe"
    3⤵
    PID:2268
- - C:\Windows\system32\mode.com
    mode 80,20
    3⤵
    PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
      4⤵
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
      4⤵
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
      4⤵
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
      4⤵
      PID:632
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 67 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 67 5 /a 32 /d " " /a 32 /g 67 4 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 2 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 2 17 /a 32 /d " " /a 32 /g 2 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 42 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 42 17 /a 32 /d " " /a 32 /g 42 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0x0f /d " Clean " /g 69 5 /c 0x0f /d "Refresh" /g 4 17 /c 0x0f /d " Unban " /g 44 17 /c 0x0f /d " Easy Anti Cheat " /c 0x07
    3⤵
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 67 4 77 6 2 16 38 18 42 16 77 18 /H 07 07 07
    3⤵
    PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type "mac.txt"|find /c /v ""
    3⤵
    PID:3908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "mac.txt""
      4⤵
      PID:3040
  - - C:\Windows\system32\find.exe
      find /c /v ""
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE mac.txt
    3⤵
    PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type "host.txt"|find /c /v ""
    3⤵
    PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "host.txt""
      4⤵
      PID:3748
  - - C:\Windows\system32\find.exe
      find /c /v ""
      4⤵
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE host.txt
    3⤵
    PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:704
  - - C:\Windows\system32\find.exe
      find /c /v ""
      4⤵
      PID:760
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Volumeid64.exe
    Volumeid64.exe C: 16C0-FFC6
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Monetone" /v VolumeID /t REG_SZ /d 16C0-FFC6 /f
    3⤵
    PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -nologo -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\hwid.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d Desktop-FEF5A /f
    3⤵
    PID:1536
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d Desktop-FEF5A /f
    3⤵
    PID:4084
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d Desktop-FEF5A /f
    3⤵
    PID:3356
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d Desktop-FEF5A /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /f
    3⤵
    PID:544
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d /f
    3⤵
    PID:3692
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Wi-Fi" admin=disabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3764
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v NetworkAddress /d 024EFB38196A /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002" /v NetworkAddress /d 024EFB38196A /f
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002" /v NetworkAddress /d 024EFB38196A /f
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002" /v NetworkAddress /d 024EFB38196A /f
    3⤵
    PID:3576
- - C:\Windows\system32\netsh.exe
    netsh interface set interface name="Wi-Fi" admin=enabled
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2784
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {FA61BCA7-A7DB-20AF-A7DB-6a974E16C33E} /f
    3⤵
    PID:3188
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {FA61BCA7-A7DB-20AF-A7DB-6a974E16C33E} /f
    3⤵
    PID:5076
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331-10401-00001-AFFC6 /f
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABF20AFBA18B8878E89D20AF000000000000396CC459BD0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A7DB6736 /f
    3⤵
    PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d FA61BCA70400000030003000330037A7DB002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D003200360035003200300031003700000000000000000000000000000000000000000000000000000000000000000062003900320065003FA61BCA780030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F0066006500730073006A7DBF006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C61FA61BCA7D0BEDFD25EA7DB45B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
    3⤵
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\Block.exe
    Block.exe
    3⤵
    PID:3256
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9BF.tmp\9C0.tmp\9C1.bat C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\Block.exe"
      4⤵
      PID:3760
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3036
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:4312
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4716
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3544
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:704
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:1012
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1248
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2324
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:2284
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4384
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:1264
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3148
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1864
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:2584
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:644
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4840
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:1420
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2076
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3544
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1144
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:2324
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:344
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1076
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:4220
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "imagename eq Monotone.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:5016
    - - C:\Windows\system32\find.exe
        
        find /i "Monotone.exe"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\UnbanComplete.vbs"
    3⤵
    PID:2872
- - C:\Windows\system32\tasklist.exe
    tasklist /NH /FI "imagename eq Block.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\system32\find.exe
    find /i "Block.exe"
    3⤵
    PID:880
- - C:\Windows\system32\mode.com
    mode 80,20
    3⤵
    PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    PID:3528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
    3⤵
    PID:4960
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
      4⤵
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
    3⤵
    PID:5116
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
      4⤵
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
    3⤵
    PID:2268
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
    3⤵
    PID:4048
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
      4⤵
      PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
    3⤵
    PID:4772
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
    3⤵
    PID:2752
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
    3⤵
    PID:2212
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
      4⤵
      PID:2944
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 67 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 67 5 /a 32 /d " " /a 32 /g 67 4 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 2 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 2 17 /a 32 /d " " /a 32 /g 2 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1272
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 42 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 42 17 /a 32 /d " " /a 32 /g 42 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3084
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0x0f /d " Clean " /g 69 5 /c 0x0f /d "Refresh" /g 4 17 /c 0x0f /d " Unban " /g 44 17 /c 0x0f /d " Easy Anti Cheat " /c 0x07
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 67 4 77 6 2 16 38 18 42 16 77 18 /H 07 07 07
    3⤵
    PID:3660
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine" /f
    3⤵
    PID:4680
- - C:\Windows\system32\tasklist.exe
    tasklist /NH /FI "imagename eq Block.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2964
- - C:\Windows\system32\find.exe
    find /i "Block.exe"
    3⤵
    PID:3700
- - C:\Windows\system32\mode.com
    mode 80,20
    3⤵
    PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    PID:4892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
    3⤵
    PID:4668
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v "HwProfileGuid"
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
    3⤵
    PID:3692
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v "MachineGuid"
      4⤵
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
    3⤵
    PID:3984
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "Hostname"
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v "NetworkAddress"
      4⤵
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
    3⤵
    PID:5024
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v "PropertyGuid"
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
    3⤵
    PID:4152
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_CURRENT_USER\Monetone" /v "VolumeID"
      4⤵
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
    3⤵
    PID:920
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductID"
      4⤵
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
    3⤵
    PID:4948
  - - C:\Windows\system32\reg.exe
      reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\3" /v "ServiceName"
      4⤵
      PID:3616
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 67 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 67 5 /a 32 /d " " /a 32 /g 67 4 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 2 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 2 17 /a 32 /d " " /a 32 /g 2 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0x0f /g 42 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 42 17 /a 32 /d " " /a 32 /g 42 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0x0f /d " Clean " /g 69 5 /c 0x0f /d "Refresh" /g 4 17 /c 0x0f /d " Unban " /g 44 17 /c 0x0f /d " Easy Anti Cheat " /c 0x07
    3⤵
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 67 4 77 6 2 16 38 18 42 16 77 18 /H 07 07 07
    3⤵
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 2 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 2 17 /a 32 /d " " /a 32 /g 2 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 42 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 42 17 /a 32 /d " " /a 32 /g 42 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3796
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0xf0 /d " Spoofer " /g 4 17 /c 0xf0 /d " Clean " /g 44 17 /c 0xf0 /d " Manual Options " /c 0x07
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 2 16 38 18 42 16 77 18 /H f8
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 8 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 7 /a 32 /d " " /a 32 /g 47 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 12 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 11 /a 32 /d " " /a 32 /g 47 10 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 15 /a 32 /d " " /a 32 /g 47 14 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3344
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0xf0 /d " Back " /g 49 7 /c 0xf0 /d " Launch " /g 49 11 /c 0xf0 /d " Launch " /g 49 15 /c 0xf0 /d " Launch " /c 0x07
    3⤵
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 47 6 60 8 47 10 60 12 47 14 60 16 /H f8
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\AlternateStreamView.exe
    AlternateStreamView.exe
    3⤵
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 8 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 7 /a 32 /d " " /a 32 /g 47 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 12 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 11 /a 32 /d " " /a 32 /g 47 10 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 15 /a 32 /d " " /a 32 /g 47 14 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0xf0 /d " Back " /g 49 7 /c 0xf0 /d " Launch " /g 49 11 /c 0xf0 /d " Launch " /g 49 15 /c 0xf0 /d " Launch " /c 0x07
    3⤵
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 47 6 60 8 47 10 60 12 47 14 60 16 /H f8
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\Adapters2.exe
    Adapters2.exe
    3⤵
    PID:3688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 8 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 7 /a 32 /d " " /a 32 /g 47 6 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 12 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 11 /a 32 /d " " /a 32 /g 47 10 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 47 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 47 15 /a 32 /d " " /a 32 /g 47 14 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0xf0 /d " Back " /g 49 7 /c 0xf0 /d " Launch " /g 49 11 /c 0xf0 /d " Launch " /g 49 15 /c 0xf0 /d " Launch " /c 0x07
    3⤵
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 47 6 60 8 47 10 60 12 47 14 60 16 /H f8
    3⤵
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 0 2 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 0 1 /a 32 /d " " /a 32 /g 0 0 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 2 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 2 17 /a 32 /d " " /a 32 /g 2 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    batbox /c 0xf0 /g 42 18 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /g 42 17 /a 32 /d " " /a 32 /g 42 16 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /a 32 /c 0x07
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\batbox.exe
    Batbox /g 2 1 /c 0xf0 /d " Spoofer " /g 4 17 /c 0xf0 /d " Clean " /g 44 17 /c 0xf0 /d " Manual Options " /c 0x07
    3⤵
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\GetInput.exe
    GetInput /M 0 0 79 2 2 16 38 18 42 16 77 18 /H f8
    3⤵
    PID:3484
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1376
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\Monotone-HWID-Spoofer-0.0.1\Commands\Hidden\Adapters.exe
    Commands\Hidden\Adapters.exe
    3⤵
    - Checks SCSI registry key(s)
    PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\96A2.tmp\96A3.tmp\96A4.bat

Filesize
17KB

MD5
c5b9f5f77bee19857e4331300d080e3b

SHA1
50f5d39311cf12636d9ebe58aa4464578995f112

SHA256
a689ce9bdcdbc32ad39cbab6349453847a71a386cb4c4be4ffe2daff57fce52d

SHA512
ecb86677eb5bb0c0dc8b7c1d351cd7409772699393ebce902fcaa05442d46da112cfe8ca2215794ae2308c573d56fd51fd8920c488ff20c7b1c96cd7fced1dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF.tmp\9C0.tmp\9C1.bat

Filesize
234B

MD5
6bf25f359aa5fbd7e1dd035df781227c

SHA1
f13a903548ba59fe28e1b6edca19bab5083b806d

SHA256
db9b3975c87afa294cafdd40cac28ed305d39c6215aa170dc3cf6005e86f9e46

SHA512
ea91c96d2d8a5c28e4d81af7ac0175b9dcd6757e97925609ac23ce4e1738698c10ffd05ce446610330d6f66b78f01336df1a997d1535ab8d0925eef2de9ae314

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpk2ii1v.idu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/212-40-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/556-52-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/756-69-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/756-68-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1008-58-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1008-57-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1104-66-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1188-59-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1272-30-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1272-31-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1316-48-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1420-35-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1420-34-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1432-51-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1608-26-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1608-27-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1704-43-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1752-65-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1888-70-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1952-28-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1952-29-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2124-18-0x000002507D420000-0x000002507D442000-memory.dmp

Filesize
136KB

Download
memory/2520-12-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2652-50-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2652-49-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3028-46-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3032-61-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3032-5-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3032-6-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3084-33-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3344-53-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3528-4-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3584-8-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3584-9-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3796-47-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3984-73-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4000-39-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4000-38-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4276-54-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4276-55-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4488-41-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4488-42-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4596-64-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4680-63-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4744-11-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4744-10-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4756-2-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4756-3-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4788-67-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4856-45-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4856-44-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4884-71-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4884-72-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4980-36-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4980-37-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/5096-7-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download