Analysis

  • max time kernel
    18s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 13:48

General

  • Target

    VixenCleaner.exe

  • Size

    5.0MB

  • MD5

    f896695ef615c4d5e09df4ccaa2984b5

  • SHA1

    8f3517b2ecdf56d7372e7e89b35be6ee096f5292

  • SHA256

    7ad75a6780417178b6026fe7f18a38dcb455e60d0f09391bbb9de6d9487c0526

  • SHA512

    1aeb0b8f24354bce29df0855cd92456af1245f011918551ea383b2a9a1e0cd5add583b06fe541de771fd2507188e23446e022c0054187b20882e7c5393990516

  • SSDEEP

    98304:Yxt16Pb/JC9apF5i6QzMffuhWMrd4wg4R6qVUlYL5jGTUp4c4gU:Yz8D/g9vzwfuo+2wz7VjGAp

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Network Service Discovery 1 TTPs 4 IoCs

    Attempt to gather information on host's network.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Launches sc.exe 18 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 11 IoCs
  • Modifies registry key 1 TTPs 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f fortnite* /t
        3⤵
        • Kills process with taskkill
        PID:3156
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f easyantiche* /t
        3⤵
        • Kills process with taskkill
        PID:3528
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f beservice* /t
        3⤵
        • Kills process with taskkill
        PID:1908
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f epicweb* /t
        3⤵
        • Kills process with taskkill
        PID:1568
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f epicgames* /t
        3⤵
        • Kills process with taskkill
        PID:1760
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\taskkill.exe
        taskkill /im /f WmiPrv* /f /t
        3⤵
        • Kills process with taskkill
        PID:3896
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color
      2⤵
        PID:3956
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:2668
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c color b
          2⤵
            PID:4856
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c pause >nul
            2⤵
              PID:3052
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&1
              2⤵
                PID:1280
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&1
                2⤵
                  PID:732
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop easyanticheat >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4312
                  • C:\Windows\system32\sc.exe
                    sc stop easyanticheat
                    3⤵
                    • Launches sc.exe
                    PID:3788
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop easyanticheat_eos >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:764
                  • C:\Windows\system32\sc.exe
                    sc stop easyanticheat_eos
                    3⤵
                    • Launches sc.exe
                    PID:4164
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop easyanticheat_eossys >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4728
                  • C:\Windows\system32\sc.exe
                    sc stop easyanticheat_eossys
                    3⤵
                    • Launches sc.exe
                    PID:3376
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop easyanticheat_sys >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\system32\sc.exe
                    sc stop easyanticheat_sys
                    3⤵
                    • Launches sc.exe
                    PID:4720
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop easyanticheatsys >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1476
                  • C:\Windows\system32\sc.exe
                    sc stop easyanticheatsys
                    3⤵
                    • Launches sc.exe
                    PID:2236
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop bedaisy >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1112
                  • C:\Windows\system32\sc.exe
                    sc stop bedaisy
                    3⤵
                    • Launches sc.exe
                    PID:3716
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1696
                  • C:\Windows\system32\sc.exe
                    sc stop beservice
                    3⤵
                    • Launches sc.exe
                    PID:992
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
                  2⤵
                    PID:4240
                    • C:\Windows\system32\sc.exe
                      sc stop beservice
                      3⤵
                      • Launches sc.exe
                      PID:3588
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&1
                    2⤵
                      PID:4020
                      • C:\Windows\system32\sc.exe
                        sc stop beservice
                        3⤵
                        • Launches sc.exe
                        PID:3672
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c sc delete easyanticheat >nul 2>&1
                      2⤵
                        PID:5108
                        • C:\Windows\system32\sc.exe
                          sc delete easyanticheat
                          3⤵
                          • Launches sc.exe
                          PID:1052
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c sc delete easyanticheat_eos >nul 2>&1
                        2⤵
                          PID:4816
                          • C:\Windows\system32\sc.exe
                            sc delete easyanticheat_eos
                            3⤵
                            • Launches sc.exe
                            PID:1008
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c sc delete easyanticheat_eossys >nul 2>&1
                          2⤵
                            PID:3256
                            • C:\Windows\system32\sc.exe
                              sc delete easyanticheat_eossys
                              3⤵
                              • Launches sc.exe
                              PID:3152
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c sc delete easyanticheat_sys >nul 2>&1
                            2⤵
                              PID:996
                              • C:\Windows\system32\sc.exe
                                sc delete easyanticheat_sys
                                3⤵
                                • Launches sc.exe
                                PID:1612
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c sc delete easyanticheatsys >nul 2>&1
                              2⤵
                                PID:4476
                                • C:\Windows\system32\sc.exe
                                  sc delete easyanticheatsys
                                  3⤵
                                  • Launches sc.exe
                                  PID:5016
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c sc delete bedaisy >nul 2>&1
                                2⤵
                                  PID:2468
                                  • C:\Windows\system32\sc.exe
                                    sc delete bedaisy
                                    3⤵
                                    • Launches sc.exe
                                    PID:2392
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
                                  2⤵
                                    PID:4308
                                    • C:\Windows\system32\sc.exe
                                      sc delete beservice
                                      3⤵
                                      • Launches sc.exe
                                      PID:4560
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
                                    2⤵
                                      PID:4908
                                      • C:\Windows\system32\sc.exe
                                        sc delete beservice
                                        3⤵
                                        • Launches sc.exe
                                        PID:4036
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&1
                                      2⤵
                                        PID:1860
                                        • C:\Windows\system32\sc.exe
                                          sc delete beservice
                                          3⤵
                                          • Launches sc.exe
                                          PID:4088
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f >nul 2>&1
                                        2⤵
                                          PID:2804
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f
                                            3⤵
                                              PID:4488
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f >nul 2>&1
                                            2⤵
                                              PID:1132
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f
                                                3⤵
                                                  PID:2664
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f >nul 2>&1
                                                2⤵
                                                  PID:344
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f
                                                    3⤵
                                                      PID:1424
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f >nul 2>&1
                                                    2⤵
                                                      PID:1116
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f
                                                        3⤵
                                                          PID:3428
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f >nul 2>&1
                                                        2⤵
                                                          PID:3856
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                                                            3⤵
                                                              PID:2560
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&1
                                                            2⤵
                                                              PID:3232
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f
                                                                3⤵
                                                                  PID:3516
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher\" >nul 2>&1
                                                                2⤵
                                                                  PID:436
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&1
                                                                  2⤵
                                                                    PID:1480
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                      3⤵
                                                                        PID:2568
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Khronos" /f >nul 2>&1
                                                                      2⤵
                                                                        PID:1152
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg delete "HKEY_CURRENT_USER\Software\Khronos" /f
                                                                          3⤵
                                                                            PID:1780
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f >nul 2>&1
                                                                          2⤵
                                                                            PID:1532
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f
                                                                              3⤵
                                                                                PID:384
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&1
                                                                              2⤵
                                                                                PID:648
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                                                                  3⤵
                                                                                    PID:1760
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
                                                                                  2⤵
                                                                                    PID:4224
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                                                                                      3⤵
                                                                                        PID:3920
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
                                                                                      2⤵
                                                                                        PID:1764
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                          3⤵
                                                                                            PID:2532
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
                                                                                          2⤵
                                                                                            PID:4076
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                              3⤵
                                                                                                PID:1540
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&1
                                                                                              2⤵
                                                                                                PID:860
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                  3⤵
                                                                                                    PID:404
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f >nul 2>&1
                                                                                                  2⤵
                                                                                                    PID:1252
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
                                                                                                      3⤵
                                                                                                        PID:4980
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
                                                                                                      2⤵
                                                                                                        PID:1920
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                                                                                                          3⤵
                                                                                                            PID:3216
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&1
                                                                                                          2⤵
                                                                                                            PID:3524
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                                                                                                              3⤵
                                                                                                                PID:4732
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f >nul 2>&1
                                                                                                              2⤵
                                                                                                                PID:3720
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
                                                                                                                  3⤵
                                                                                                                    PID:4524
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f >nul 2>&1
                                                                                                                  2⤵
                                                                                                                    PID:1684
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
                                                                                                                      3⤵
                                                                                                                        PID:1984
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&1
                                                                                                                      2⤵
                                                                                                                        PID:4936
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                                                                          3⤵
                                                                                                                            PID:2600
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&1
                                                                                                                          2⤵
                                                                                                                            PID:4724
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f
                                                                                                                              3⤵
                                                                                                                                PID:4928
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                                                                              2⤵
                                                                                                                                PID:536
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c start /MIN "" "C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E4
                                                                                                                                2⤵
                                                                                                                                  PID:3348
                                                                                                                                  • C:\Windows\System32\VolumeID.exe
                                                                                                                                    "C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E4
                                                                                                                                    3⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:2236
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                                  2⤵
                                                                                                                                    PID:3572
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c color b
                                                                                                                                    2⤵
                                                                                                                                      PID:2616
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c del /F "C:\Windows\System32\VolumeID.exe" >nul 2>&1
                                                                                                                                      2⤵
                                                                                                                                        PID:1052
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                                                                        2⤵
                                                                                                                                          PID:1572
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet >nul 2>&1
                                                                                                                                          2⤵
                                                                                                                                            PID:3128
                                                                                                                                            • C:\Windows\system32\vssadmin.exe
                                                                                                                                              vssadmin delete shadows /All /Quiet
                                                                                                                                              3⤵
                                                                                                                                              • Interacts with shadow copies
                                                                                                                                              PID:1308
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
                                                                                                                                            2⤵
                                                                                                                                              PID:4752
                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                taskkill /im WmiPrv* /f /t
                                                                                                                                                3⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1056
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
                                                                                                                                              2⤵
                                                                                                                                                PID:344
                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                  taskkill /im WmiPrv* /f /t
                                                                                                                                                  3⤵
                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:4420
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
                                                                                                                                                2⤵
                                                                                                                                                  PID:1956
                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                    taskkill /im WmiPrv* /f /t
                                                                                                                                                    3⤵
                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:2960
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                  2⤵
                                                                                                                                                    PID:3984
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
                                                                                                                                                    2⤵
                                                                                                                                                      PID:3920
                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                        taskkill /im WmiPrv* /f /t
                                                                                                                                                        3⤵
                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:4224
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&1
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1628
                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                          taskkill /im WmiPrv* /f /t
                                                                                                                                                          3⤵
                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:2452
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1196
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies registry key
                                                                                                                                                            PID:4084
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                          2⤵
                                                                                                                                                            PID:2152
                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                              REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                              3⤵
                                                                                                                                                              • Modifies registry key
                                                                                                                                                              PID:1468
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2712
                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                                3⤵
                                                                                                                                                                • Modifies registry key
                                                                                                                                                                PID:3468
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2988
                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                  REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                  PID:2708
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:4728
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                    PID:3708
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:4080
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                      PID:536
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&1
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2136
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8647 /f
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                        PID:3348
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f >nul 2>&1
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:3236
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                          PID:4204
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2236
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                            PID:1112
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:3904
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                              PID:4964
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f >nul 2>&1
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:3200
                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:5032
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f >nul 2>&1
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:1788
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:4816
                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f >nul 2>&1
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:4652
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:5072
                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f >nul 2>&1
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4196
                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                            reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1744
                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f >nul 2>&1
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:3152
                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:1492
                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f >nul 2>&1
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:1632
                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                    reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:276
                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f >nul 2>&1
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:296
                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                        reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:2428
                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f >nul 2>&1
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:5016
                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                            reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1612
                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f >nul 2>&1
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2572
                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:1860
                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f >nul 2>&1
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5096
                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                    reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:3332
                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4360
                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                        REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                        PID:4932
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&1
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:464
                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                          REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                          PID:332
                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&1
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:4044
                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                                                            PID:3528
                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&1
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:3024
                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                              REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                              PID:1116
                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&1
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:4420
                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                                PID:344
                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&1
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2592
                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                  REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                                  PID:3280
                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:1896
                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee8650-21978-11954-9154} /f
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                    PID:1784
                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:728
                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa8650-21978-11954-9154} /f
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                      PID:1568
                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&1
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:620
                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                        REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8650 /f
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                                        PID:1272
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r%random% /f >nul 2>&1
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:3068
                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                          REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r8650 /f
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                          PID:1532
                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r%random% /f >nul 2>&1
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:4780
                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                            REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r8650 /f
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • Modifies registry key
                                                                                                                                                                                                                                            PID:2524
                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:4772
                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                              REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd8650-21978-11954-9154} /f
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Modifies registry key
                                                                                                                                                                                                                                              PID:1764
                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f >nul 2>&1
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:2356
                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d 8650 /f
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Modifies registry key
                                                                                                                                                                                                                                                PID:3956
                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f >nul 2>&1
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:2608
                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                  REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d 8650 /f
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Modifies registry key
                                                                                                                                                                                                                                                  PID:3860
                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:3176
                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Modifies registry key
                                                                                                                                                                                                                                                    PID:1920
                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&1
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4856
                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                      REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 8650-21978-11954-9154 /f
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Modifies registry key
                                                                                                                                                                                                                                                      PID:3192
                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:4980
                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                                                        PID:4076
                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c @REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d %random% /f >nul 2>&1
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:380
                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                          REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 8650 /f
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                                          PID:3720
                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f >nul 2>&1
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:1528
                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                            reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                            PID:1684
                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f >nul 2>&1
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:4500
                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                              reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                              PID:4936
                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f >nul 2>&1
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:1276
                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                PID:4724
                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f >nul 2>&1
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:2924
                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                  reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                  PID:644
                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&1
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:2116
                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:2896
                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&1
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:5036
                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                        reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:4468
                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&1
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                            reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:992
                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&1
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:4512
                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:3580
                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f >nul 2>&1
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:5052
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:1948
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:1092
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Modifies registry key
                                                                                                                                                                                                                                                                                        PID:4020
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&1
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:916
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                          REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Modifies registry key
                                                                                                                                                                                                                                                                                          PID:4132
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&1
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:4816
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                            reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:1788
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c cls
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5072
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                              • Network Service Discovery
                                                                                                                                                                                                                                                                                              PID:4652
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\ARP.EXE
                                                                                                                                                                                                                                                                                                arp -a
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                • Network Service Discovery
                                                                                                                                                                                                                                                                                                PID:1744
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:4196
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\ARP.EXE
                                                                                                                                                                                                                                                                                                  arp -d
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                  • Network Service Discovery
                                                                                                                                                                                                                                                                                                  PID:3152
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\ARP.EXE
                                                                                                                                                                                                                                                                                                    arp -a
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Network Service Discovery
                                                                                                                                                                                                                                                                                                    PID:276
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:1632
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                      WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                      PID:2428
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                  PID:4156

                                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                                • C:\Windows\System32\VolumeID.exe

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  165KB

                                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                                  81a45f1a91448313b76d2e6d5308aa7a

                                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                                  0d615343d5de03da03bce52e11b233093b404083

                                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                                  fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

                                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                                  675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

                                                                                                                                                                                                                                                                                                • memory/684-12-0x0000000140000000-0x0000000140886000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8.5MB

                                                                                                                                                                                                                                                                                                • memory/684-1-0x00007FFA7C7D0000-0x00007FFA7C7D2000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                • memory/684-3-0x0000000140000000-0x0000000140886000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8.5MB

                                                                                                                                                                                                                                                                                                • memory/684-6-0x0000000140065000-0x0000000140390000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  3.2MB

                                                                                                                                                                                                                                                                                                • memory/684-2-0x00007FFA7C7E0000-0x00007FFA7C7E2000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                • memory/684-0-0x0000000140065000-0x0000000140390000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  3.2MB

                                                                                                                                                                                                                                                                                                • memory/684-0-0x0000000140065000-0x0000000140390000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  3.2MB

                                                                                                                                                                                                                                                                                                • memory/684-2-0x00007FFA7C7E0000-0x00007FFA7C7E2000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                • memory/684-1-0x00007FFA7C7D0000-0x00007FFA7C7D2000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                                • memory/684-3-0x0000000140000000-0x0000000140886000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8.5MB

                                                                                                                                                                                                                                                                                                • memory/684-6-0x0000000140065000-0x0000000140390000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  3.2MB

                                                                                                                                                                                                                                                                                                • memory/684-12-0x0000000140000000-0x0000000140886000-memory.dmp

                                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                                  8.5MB