Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
hwid-window-spoofer-main/hwid_magic.bat
Resource
win7-20240708-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
hwid-window-spoofer-main/hwid_magic.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
hwid-window-spoofer-main/hwid_magic.bat
-
Size
45KB
-
MD5
a3ab5c1d3d86d27b3764d5ff39adde5e
-
SHA1
ac8bdc4e94db981ccdb78d0b246f7925b56f7ac7
-
SHA256
b4412cbb504063c9dff0f4c41f3efbdf836c0fa95a0d932de85cb80df51276d6
-
SHA512
5fe3819d693745f8595b8b18fa1b3b94f69adbd1575fb2397889d65bfb2b9d70052016ac613365e2df9567b8e3a412bad609c9786e5991e0d08e019d6b17f474
-
SSDEEP
384:57wK8+SMS8Sn16d/s16JijVAJ9OSU5RCn3I3k4L1oPunRz+eV5pK/F23aKVed+NE:5IKSBL1oP6Rz+Enfdh9YL8oPbT
Score
9/10
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
pid Process 2688 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\INF\rdyboost\0407\ReadyBoostPerfCounters.ini cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0C0A\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\SMSVCH~1.0\0410\_SMSvcHostPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\usbhub\0411\usbperf.ini cmd.exe File opened for modification C:\Windows\INF\WINDOW~1.0\0410\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\NETDAT~1\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\INF\de-DE\netavpnt.inf_loc cmd.exe File opened for modification C:\Windows\INF\netpacer.inf cmd.exe File opened for modification C:\Windows\INF\ESENT\esentprf.hxx cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelServicePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini cmd.exe File opened for modification C:\Windows\INF\rdyboost\ReadyBoostPerfCounters.h cmd.exe File opened for modification C:\Windows\INF\REMOTE~1\0409\rasctrs.ini cmd.exe File opened for modification C:\Windows\INF\secrecs.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0411\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelServicePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\NETCLR~1\0000\_DataPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\NETDAT~1\0C0A\_DataOracleClientPerfCounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\INF\it-IT\netavpna.inf_loc cmd.exe File opened for modification C:\Windows\INF\ESENT\0409\esentprf.ini cmd.exe File opened for modification C:\Windows\INF\MSDTC\040C\msdtcprf.ini cmd.exe File opened for modification C:\Windows\INF\TERMSE~1\0410\tslabels.ini cmd.exe File opened for modification C:\Windows\INF\UGATHE~1\0000\gsrvctr.ini cmd.exe File opened for modification C:\Windows\INF\ESENT\040C\esentprf.ini cmd.exe File opened for modification C:\Windows\INF\SERVIC~3.0\0410\_ServiceModelOperationPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\TERMSE~1\040C\tslabels.ini cmd.exe File opened for modification C:\Windows\INF\NETDAT~2\0C0A\_dataperfcounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\INF\TAPISRV\0000\tapiperf.ini cmd.exe File opened for modification C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\SERVIC~3.0\0407\_ServiceModelOperationPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\TAPISRV\perfctr.h cmd.exe File opened for modification C:\Windows\INF\NETDAT~2\0410\_dataperfcounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\netrasa.inf cmd.exe File opened for modification C:\Windows\INF\WINDOW~1.0\0411\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\MSDTC\0411\msdtcprf.ini cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\UGATHE~1\040C\gsrvctr.ini cmd.exe File opened for modification C:\Windows\INF\TERMSE~1\tslabels.h cmd.exe File opened for modification C:\Windows\INF\REMOTE~1\0411\rasctrs.ini cmd.exe File opened for modification C:\Windows\INF\rspndr.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\ndisuio.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\0C0A\_ServiceModelServicePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\WSEARC~1\idxcntrs.h cmd.exe File opened for modification C:\Windows\INF\usbhub\usbperfsym.h cmd.exe File opened for modification C:\Windows\INF\WINDOW~1.0\0409\PerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\dwup.inf cmd.exe File opened for modification C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelServicePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\UGTHRSVC\0411\gthrctr.ini cmd.exe File opened for modification C:\Windows\INF\nettcpip.inf cmd.exe File opened for modification C:\Windows\INF\SMSVCH~1.0\0409\_SMSvcHostPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\ESENT\0000\esentprf.ini cmd.exe File opened for modification C:\Windows\INF\MSDTCB~1.0\040C\_TransactionBridgePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\netpgm.inf cmd.exe File opened for modification C:\Windows\INF\UGATHE~1\0C0A\gsrvctr.ini cmd.exe File opened for modification C:\Windows\INF\NETCLR~1\0407\_DataPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\en-US\netavpna.inf_loc cmd.exe File opened for modification C:\Windows\INF\fr-FR\netavpnt.inf_loc cmd.exe File opened for modification C:\Windows\INF\NETCLR~1\0410\_DataPerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\NETDAT~1\0411\_DataOracleClientPerfCounters_shared12_neutral_D.ini cmd.exe File opened for modification C:\Windows\INF\MSDTC\0407\msdtcprf.ini cmd.exe File opened for modification C:\Windows\INF\MSDTCB~1.0\0410\_TransactionBridgePerfCounters_D.ini cmd.exe File opened for modification C:\Windows\INF\puwk.inf cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2000 PING.EXE 2960 PING.EXE 1292 PING.EXE 2404 PING.EXE 1980 PING.EXE 1088 PING.EXE 1760 PING.EXE 844 PING.EXE 1364 PING.EXE 2304 PING.EXE 2008 PING.EXE 376 PING.EXE 2124 PING.EXE 2468 PING.EXE 2884 PING.EXE 920 PING.EXE 2416 PING.EXE 2920 PING.EXE 576 PING.EXE 1472 PING.EXE 1092 PING.EXE 2224 PING.EXE 1444 PING.EXE 2136 PING.EXE 1048 PING.EXE 1152 PING.EXE 1500 PING.EXE 2896 PING.EXE 892 PING.EXE 1324 PING.EXE -
Kills process with taskkill 8 IoCs
pid Process 2776 taskkill.exe 2816 taskkill.exe 2696 taskkill.exe 2848 taskkill.exe 2596 taskkill.exe 1612 taskkill.exe 3060 taskkill.exe 2796 taskkill.exe -
Runs ping.exe 1 TTPs 30 IoCs
pid Process 576 PING.EXE 1048 PING.EXE 2404 PING.EXE 2468 PING.EXE 2416 PING.EXE 844 PING.EXE 1324 PING.EXE 920 PING.EXE 2884 PING.EXE 2136 PING.EXE 892 PING.EXE 1760 PING.EXE 2960 PING.EXE 1472 PING.EXE 1292 PING.EXE 1444 PING.EXE 1088 PING.EXE 2304 PING.EXE 2124 PING.EXE 2224 PING.EXE 1152 PING.EXE 1980 PING.EXE 2920 PING.EXE 376 PING.EXE 1364 PING.EXE 1092 PING.EXE 1500 PING.EXE 2008 PING.EXE 2000 PING.EXE 2896 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1204 WMIC.exe Token: SeSecurityPrivilege 1204 WMIC.exe Token: SeTakeOwnershipPrivilege 1204 WMIC.exe Token: SeLoadDriverPrivilege 1204 WMIC.exe Token: SeSystemProfilePrivilege 1204 WMIC.exe Token: SeSystemtimePrivilege 1204 WMIC.exe Token: SeProfSingleProcessPrivilege 1204 WMIC.exe Token: SeIncBasePriorityPrivilege 1204 WMIC.exe Token: SeCreatePagefilePrivilege 1204 WMIC.exe Token: SeBackupPrivilege 1204 WMIC.exe Token: SeRestorePrivilege 1204 WMIC.exe Token: SeShutdownPrivilege 1204 WMIC.exe Token: SeDebugPrivilege 1204 WMIC.exe Token: SeSystemEnvironmentPrivilege 1204 WMIC.exe Token: SeRemoteShutdownPrivilege 1204 WMIC.exe Token: SeUndockPrivilege 1204 WMIC.exe Token: SeManageVolumePrivilege 1204 WMIC.exe Token: 33 1204 WMIC.exe Token: 34 1204 WMIC.exe Token: 35 1204 WMIC.exe Token: SeIncreaseQuotaPrivilege 1204 WMIC.exe Token: SeSecurityPrivilege 1204 WMIC.exe Token: SeTakeOwnershipPrivilege 1204 WMIC.exe Token: SeLoadDriverPrivilege 1204 WMIC.exe Token: SeSystemProfilePrivilege 1204 WMIC.exe Token: SeSystemtimePrivilege 1204 WMIC.exe Token: SeProfSingleProcessPrivilege 1204 WMIC.exe Token: SeIncBasePriorityPrivilege 1204 WMIC.exe Token: SeCreatePagefilePrivilege 1204 WMIC.exe Token: SeBackupPrivilege 1204 WMIC.exe Token: SeRestorePrivilege 1204 WMIC.exe Token: SeShutdownPrivilege 1204 WMIC.exe Token: SeDebugPrivilege 1204 WMIC.exe Token: SeSystemEnvironmentPrivilege 1204 WMIC.exe Token: SeRemoteShutdownPrivilege 1204 WMIC.exe Token: SeUndockPrivilege 1204 WMIC.exe Token: SeManageVolumePrivilege 1204 WMIC.exe Token: 33 1204 WMIC.exe Token: 34 1204 WMIC.exe Token: 35 1204 WMIC.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe Token: SeSystemProfilePrivilege 2632 WMIC.exe Token: SeSystemtimePrivilege 2632 WMIC.exe Token: SeProfSingleProcessPrivilege 2632 WMIC.exe Token: SeIncBasePriorityPrivilege 2632 WMIC.exe Token: SeCreatePagefilePrivilege 2632 WMIC.exe Token: SeBackupPrivilege 2632 WMIC.exe Token: SeRestorePrivilege 2632 WMIC.exe Token: SeShutdownPrivilege 2632 WMIC.exe Token: SeDebugPrivilege 2632 WMIC.exe Token: SeSystemEnvironmentPrivilege 2632 WMIC.exe Token: SeRemoteShutdownPrivilege 2632 WMIC.exe Token: SeUndockPrivilege 2632 WMIC.exe Token: SeManageVolumePrivilege 2632 WMIC.exe Token: 33 2632 WMIC.exe Token: 34 2632 WMIC.exe Token: 35 2632 WMIC.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2792 2688 cmd.exe 31 PID 2688 wrote to memory of 2792 2688 cmd.exe 31 PID 2688 wrote to memory of 2792 2688 cmd.exe 31 PID 2688 wrote to memory of 2808 2688 cmd.exe 32 PID 2688 wrote to memory of 2808 2688 cmd.exe 32 PID 2688 wrote to memory of 2808 2688 cmd.exe 32 PID 2688 wrote to memory of 2812 2688 cmd.exe 33 PID 2688 wrote to memory of 2812 2688 cmd.exe 33 PID 2688 wrote to memory of 2812 2688 cmd.exe 33 PID 2812 wrote to memory of 2776 2812 cmd.exe 34 PID 2812 wrote to memory of 2776 2812 cmd.exe 34 PID 2812 wrote to memory of 2776 2812 cmd.exe 34 PID 2688 wrote to memory of 1204 2688 cmd.exe 35 PID 2688 wrote to memory of 1204 2688 cmd.exe 35 PID 2688 wrote to memory of 1204 2688 cmd.exe 35 PID 2688 wrote to memory of 2632 2688 cmd.exe 37 PID 2688 wrote to memory of 2632 2688 cmd.exe 37 PID 2688 wrote to memory of 2632 2688 cmd.exe 37 PID 2688 wrote to memory of 760 2688 cmd.exe 38 PID 2688 wrote to memory of 760 2688 cmd.exe 38 PID 2688 wrote to memory of 760 2688 cmd.exe 38 PID 2688 wrote to memory of 600 2688 cmd.exe 39 PID 2688 wrote to memory of 600 2688 cmd.exe 39 PID 2688 wrote to memory of 600 2688 cmd.exe 39 PID 2688 wrote to memory of 2544 2688 cmd.exe 40 PID 2688 wrote to memory of 2544 2688 cmd.exe 40 PID 2688 wrote to memory of 2544 2688 cmd.exe 40 PID 2688 wrote to memory of 2000 2688 cmd.exe 41 PID 2688 wrote to memory of 2000 2688 cmd.exe 41 PID 2688 wrote to memory of 2000 2688 cmd.exe 41 PID 2688 wrote to memory of 2136 2688 cmd.exe 42 PID 2688 wrote to memory of 2136 2688 cmd.exe 42 PID 2688 wrote to memory of 2136 2688 cmd.exe 42 PID 2688 wrote to memory of 2960 2688 cmd.exe 43 PID 2688 wrote to memory of 2960 2688 cmd.exe 43 PID 2688 wrote to memory of 2960 2688 cmd.exe 43 PID 2688 wrote to memory of 2416 2688 cmd.exe 44 PID 2688 wrote to memory of 2416 2688 cmd.exe 44 PID 2688 wrote to memory of 2416 2688 cmd.exe 44 PID 2688 wrote to memory of 2896 2688 cmd.exe 45 PID 2688 wrote to memory of 2896 2688 cmd.exe 45 PID 2688 wrote to memory of 2896 2688 cmd.exe 45 PID 2688 wrote to memory of 1292 2688 cmd.exe 46 PID 2688 wrote to memory of 1292 2688 cmd.exe 46 PID 2688 wrote to memory of 1292 2688 cmd.exe 46 PID 2688 wrote to memory of 1980 2688 cmd.exe 47 PID 2688 wrote to memory of 1980 2688 cmd.exe 47 PID 2688 wrote to memory of 1980 2688 cmd.exe 47 PID 2688 wrote to memory of 376 2688 cmd.exe 48 PID 2688 wrote to memory of 376 2688 cmd.exe 48 PID 2688 wrote to memory of 376 2688 cmd.exe 48 PID 2688 wrote to memory of 892 2688 cmd.exe 49 PID 2688 wrote to memory of 892 2688 cmd.exe 49 PID 2688 wrote to memory of 892 2688 cmd.exe 49 PID 2688 wrote to memory of 2920 2688 cmd.exe 50 PID 2688 wrote to memory of 2920 2688 cmd.exe 50 PID 2688 wrote to memory of 2920 2688 cmd.exe 50 PID 2688 wrote to memory of 2124 2688 cmd.exe 51 PID 2688 wrote to memory of 2124 2688 cmd.exe 51 PID 2688 wrote to memory of 2124 2688 cmd.exe 51 PID 2688 wrote to memory of 844 2688 cmd.exe 52 PID 2688 wrote to memory of 844 2688 cmd.exe 52 PID 2688 wrote to memory of 844 2688 cmd.exe 52 PID 2688 wrote to memory of 576 2688 cmd.exe 53
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat"1⤵
- Deletes itself
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\findstr.exefindstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat"3⤵PID:2776
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:760
-
-
C:\Windows\System32\choice.exeC:\Windows\System32\choice.exe /C YN /N /M "Do you want to spoof it? [Y/N]?"2⤵PID:600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy /Z "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat" nul2⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2136
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1292
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:376
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:892
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2124
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:844
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:576
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1364
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1472
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1152
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1092
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1444
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1088
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2304
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2404
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1324
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2468
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:920
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760
-
-
C:\Windows\system32\PING.EXEping -n 2 ""2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2884
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:1712
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:2036
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat""2⤵PID:2520
-
C:\Windows\system32\findstr.exefindstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat"3⤵PID:2428
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵PID:2332
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:1964
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat""2⤵PID:1792
-
C:\Windows\system32\findstr.exefindstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat"3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "findstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat""2⤵PID:884
-
C:\Windows\system32\findstr.exefindstr /b /c:":menu_" "C:\Users\Admin\AppData\Local\Temp\hwid-window-spoofer-main\hwid_magic.bat"3⤵PID:1788
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
PID:1612
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
PID:3060
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
PID:2796
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
PID:2776
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
PID:2816
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
PID:2696
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
PID:2848
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
PID:2596
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f2⤵PID:2916
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:932
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" /f2⤵PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1