Analysis
-
max time kernel
18s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 13:48
Static task
static1
Behavioral task
behavioral1
Sample
VixenCleaner.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
VixenCleaner.exe
Resource
win10v2004-20241007-en
General
-
Target
VixenCleaner.exe
-
Size
5.0MB
-
MD5
f896695ef615c4d5e09df4ccaa2984b5
-
SHA1
8f3517b2ecdf56d7372e7e89b35be6ee096f5292
-
SHA256
7ad75a6780417178b6026fe7f18a38dcb455e60d0f09391bbb9de6d9487c0526
-
SHA512
1aeb0b8f24354bce29df0855cd92456af1245f011918551ea383b2a9a1e0cd5add583b06fe541de771fd2507188e23446e022c0054187b20882e7c5393990516
-
SSDEEP
98304:Yxt16Pb/JC9apF5i6QzMffuhWMrd4wg4R6qVUlYL5jGTUp4c4gU:Yz8D/g9vzwfuo+2wz7VjGAp
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
VolumeID.exepid Process 2236 VolumeID.exe 2236 VolumeID.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Processes:
cmd.exeARP.EXEcmd.exeARP.EXEpid Process 4652 cmd.exe 1744 ARP.EXE 3152 cmd.exe 276 ARP.EXE -
Drops file in System32 directory 1 IoCs
Processes:
VixenCleaner.exedescription ioc Process File created C:\Windows\System32\VolumeID.exe VixenCleaner.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
VixenCleaner.exepid Process 684 VixenCleaner.exe 684 VixenCleaner.exe -
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 992 sc.exe 1052 sc.exe 2392 sc.exe 4560 sc.exe 3788 sc.exe 4720 sc.exe 2236 sc.exe 1612 sc.exe 4036 sc.exe 4088 sc.exe 3716 sc.exe 1008 sc.exe 3152 sc.exe 5016 sc.exe 3672 sc.exe 4164 sc.exe 3376 sc.exe 3588 sc.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName reg.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS reg.exe Delete value \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reg.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1308 vssadmin.exe -
Kills process with taskkill 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 3156 taskkill.exe 3896 taskkill.exe 4224 taskkill.exe 4420 taskkill.exe 2960 taskkill.exe 2452 taskkill.exe 3528 taskkill.exe 1908 taskkill.exe 1568 taskkill.exe 1760 taskkill.exe 1056 taskkill.exe -
Modifies registry key 1 TTPs 30 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 3708 reg.exe 1112 reg.exe 3280 reg.exe 1784 reg.exe 1764 reg.exe 2708 reg.exe 1116 reg.exe 3192 reg.exe 4132 reg.exe 4204 reg.exe 3720 reg.exe 3528 reg.exe 344 reg.exe 1272 reg.exe 536 reg.exe 3468 reg.exe 4932 reg.exe 1568 reg.exe 2524 reg.exe 4020 reg.exe 1468 reg.exe 3956 reg.exe 1920 reg.exe 4076 reg.exe 4964 reg.exe 3348 reg.exe 332 reg.exe 1532 reg.exe 3860 reg.exe 4084 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
VixenCleaner.exepid Process 684 VixenCleaner.exe 684 VixenCleaner.exe 684 VixenCleaner.exe 684 VixenCleaner.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exedescription pid Process Token: SeBackupPrivilege 4156 vssvc.exe Token: SeRestorePrivilege 4156 vssvc.exe Token: SeAuditPrivilege 4156 vssvc.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 4224 taskkill.exe Token: SeDebugPrivilege 2452 taskkill.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe Token: SeProfSingleProcessPrivilege 2428 WMIC.exe Token: SeIncBasePriorityPrivilege 2428 WMIC.exe Token: SeCreatePagefilePrivilege 2428 WMIC.exe Token: SeBackupPrivilege 2428 WMIC.exe Token: SeRestorePrivilege 2428 WMIC.exe Token: SeShutdownPrivilege 2428 WMIC.exe Token: SeDebugPrivilege 2428 WMIC.exe Token: SeSystemEnvironmentPrivilege 2428 WMIC.exe Token: SeRemoteShutdownPrivilege 2428 WMIC.exe Token: SeUndockPrivilege 2428 WMIC.exe Token: SeManageVolumePrivilege 2428 WMIC.exe Token: 33 2428 WMIC.exe Token: 34 2428 WMIC.exe Token: 35 2428 WMIC.exe Token: 36 2428 WMIC.exe Token: SeBackupPrivilege 4156 vssvc.exe Token: SeRestorePrivilege 4156 vssvc.exe Token: SeAuditPrivilege 4156 vssvc.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 4224 taskkill.exe Token: SeDebugPrivilege 2452 taskkill.exe Token: SeIncreaseQuotaPrivilege 2428 WMIC.exe Token: SeSecurityPrivilege 2428 WMIC.exe Token: SeTakeOwnershipPrivilege 2428 WMIC.exe Token: SeLoadDriverPrivilege 2428 WMIC.exe Token: SeSystemProfilePrivilege 2428 WMIC.exe Token: SeSystemtimePrivilege 2428 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VixenCleaner.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 684 wrote to memory of 1900 684 VixenCleaner.exe 87 PID 684 wrote to memory of 1900 684 VixenCleaner.exe 87 PID 1900 wrote to memory of 3156 1900 cmd.exe 88 PID 1900 wrote to memory of 3156 1900 cmd.exe 88 PID 684 wrote to memory of 3024 684 VixenCleaner.exe 89 PID 684 wrote to memory of 3024 684 VixenCleaner.exe 89 PID 3024 wrote to memory of 3528 3024 cmd.exe 90 PID 3024 wrote to memory of 3528 3024 cmd.exe 90 PID 684 wrote to memory of 1896 684 VixenCleaner.exe 91 PID 684 wrote to memory of 1896 684 VixenCleaner.exe 91 PID 1896 wrote to memory of 1908 1896 cmd.exe 92 PID 1896 wrote to memory of 1908 1896 cmd.exe 92 PID 684 wrote to memory of 4376 684 VixenCleaner.exe 93 PID 684 wrote to memory of 4376 684 VixenCleaner.exe 93 PID 4376 wrote to memory of 1568 4376 cmd.exe 94 PID 4376 wrote to memory of 1568 4376 cmd.exe 94 PID 684 wrote to memory of 4224 684 VixenCleaner.exe 95 PID 684 wrote to memory of 4224 684 VixenCleaner.exe 95 PID 4224 wrote to memory of 1760 4224 cmd.exe 96 PID 4224 wrote to memory of 1760 4224 cmd.exe 96 PID 684 wrote to memory of 2516 684 VixenCleaner.exe 97 PID 684 wrote to memory of 2516 684 VixenCleaner.exe 97 PID 2516 wrote to memory of 3896 2516 cmd.exe 98 PID 2516 wrote to memory of 3896 2516 cmd.exe 98 PID 684 wrote to memory of 3956 684 VixenCleaner.exe 99 PID 684 wrote to memory of 3956 684 VixenCleaner.exe 99 PID 684 wrote to memory of 2668 684 VixenCleaner.exe 100 PID 684 wrote to memory of 2668 684 VixenCleaner.exe 100 PID 684 wrote to memory of 4856 684 VixenCleaner.exe 101 PID 684 wrote to memory of 4856 684 VixenCleaner.exe 101 PID 684 wrote to memory of 3052 684 VixenCleaner.exe 102 PID 684 wrote to memory of 3052 684 VixenCleaner.exe 102 PID 684 wrote to memory of 1280 684 VixenCleaner.exe 111 PID 684 wrote to memory of 1280 684 VixenCleaner.exe 111 PID 684 wrote to memory of 732 684 VixenCleaner.exe 112 PID 684 wrote to memory of 732 684 VixenCleaner.exe 112 PID 684 wrote to memory of 4312 684 VixenCleaner.exe 113 PID 684 wrote to memory of 4312 684 VixenCleaner.exe 113 PID 4312 wrote to memory of 3788 4312 cmd.exe 114 PID 4312 wrote to memory of 3788 4312 cmd.exe 114 PID 684 wrote to memory of 764 684 VixenCleaner.exe 115 PID 684 wrote to memory of 764 684 VixenCleaner.exe 115 PID 764 wrote to memory of 4164 764 cmd.exe 116 PID 764 wrote to memory of 4164 764 cmd.exe 116 PID 684 wrote to memory of 4728 684 VixenCleaner.exe 117 PID 684 wrote to memory of 4728 684 VixenCleaner.exe 117 PID 4728 wrote to memory of 3376 4728 cmd.exe 118 PID 4728 wrote to memory of 3376 4728 cmd.exe 118 PID 684 wrote to memory of 2156 684 VixenCleaner.exe 119 PID 684 wrote to memory of 2156 684 VixenCleaner.exe 119 PID 2156 wrote to memory of 4720 2156 cmd.exe 120 PID 2156 wrote to memory of 4720 2156 cmd.exe 120 PID 684 wrote to memory of 1476 684 VixenCleaner.exe 121 PID 684 wrote to memory of 1476 684 VixenCleaner.exe 121 PID 1476 wrote to memory of 2236 1476 cmd.exe 122 PID 1476 wrote to memory of 2236 1476 cmd.exe 122 PID 684 wrote to memory of 1112 684 VixenCleaner.exe 123 PID 684 wrote to memory of 1112 684 VixenCleaner.exe 123 PID 1112 wrote to memory of 3716 1112 cmd.exe 124 PID 1112 wrote to memory of 3716 1112 cmd.exe 124 PID 684 wrote to memory of 1696 684 VixenCleaner.exe 125 PID 684 wrote to memory of 1696 684 VixenCleaner.exe 125 PID 1696 wrote to memory of 992 1696 cmd.exe 126 PID 1696 wrote to memory of 992 1696 cmd.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\taskkill.exetaskkill /im /f fortnite* /t3⤵
- Kills process with taskkill
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\taskkill.exetaskkill /im /f easyantiche* /t3⤵
- Kills process with taskkill
PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\taskkill.exetaskkill /im /f beservice* /t3⤵
- Kills process with taskkill
PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\taskkill.exetaskkill /im /f epicweb* /t3⤵
- Kills process with taskkill
PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\taskkill.exetaskkill /im /f epicgames* /t3⤵
- Kills process with taskkill
PID:1760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\taskkill.exetaskkill /im /f WmiPrv* /f /t3⤵
- Kills process with taskkill
PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&12⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&12⤵PID:732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\sc.exesc stop easyanticheat3⤵
- Launches sc.exe
PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_eos >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\sc.exesc stop easyanticheat_eos3⤵
- Launches sc.exe
PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_eossys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\sc.exesc stop easyanticheat_eossys3⤵
- Launches sc.exe
PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\sc.exesc stop easyanticheat_sys3⤵
- Launches sc.exe
PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheatsys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\sc.exesc stop easyanticheatsys3⤵
- Launches sc.exe
PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bedaisy >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\sc.exesc stop bedaisy3⤵
- Launches sc.exe
PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵PID:4240
-
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵PID:4020
-
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat >nul 2>&12⤵PID:5108
-
C:\Windows\system32\sc.exesc delete easyanticheat3⤵
- Launches sc.exe
PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_eos >nul 2>&12⤵PID:4816
-
C:\Windows\system32\sc.exesc delete easyanticheat_eos3⤵
- Launches sc.exe
PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_eossys >nul 2>&12⤵PID:3256
-
C:\Windows\system32\sc.exesc delete easyanticheat_eossys3⤵
- Launches sc.exe
PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_sys >nul 2>&12⤵PID:996
-
C:\Windows\system32\sc.exesc delete easyanticheat_sys3⤵
- Launches sc.exe
PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheatsys >nul 2>&12⤵PID:4476
-
C:\Windows\system32\sc.exesc delete easyanticheatsys3⤵
- Launches sc.exe
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bedaisy >nul 2>&12⤵PID:2468
-
C:\Windows\system32\sc.exesc delete bedaisy3⤵
- Launches sc.exe
PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵PID:4308
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵PID:4908
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵PID:1860
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f >nul 2>&12⤵PID:2804
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f >nul 2>&12⤵PID:1132
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f >nul 2>&12⤵PID:344
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f >nul 2>&12⤵PID:1116
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f >nul 2>&12⤵PID:3856
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&12⤵PID:3232
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher\" >nul 2>&12⤵PID:436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&12⤵PID:1480
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Khronos" /f >nul 2>&12⤵PID:1152
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Khronos" /f3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f >nul 2>&12⤵PID:1532
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&12⤵PID:648
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵PID:1760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵PID:4224
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵PID:1764
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵PID:4076
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&12⤵PID:860
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f >nul 2>&12⤵PID:1252
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵PID:1920
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵PID:3524
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f >nul 2>&12⤵PID:3720
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f >nul 2>&12⤵PID:1684
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&12⤵PID:4936
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵PID:4724
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start /MIN "" "C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E42⤵PID:3348
-
C:\Windows\System32\VolumeID.exe"C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E43⤵
- Executes dropped EXE
PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵PID:2616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F "C:\Windows\System32\VolumeID.exe" >nul 2>&12⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet >nul 2>&12⤵PID:3128
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵PID:4752
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵PID:344
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵PID:1956
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵PID:3920
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵PID:1628
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:1196
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:2152
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:2712
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:3468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:2988
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:4728
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:4080
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 8647-11229-26858-17858 /f3⤵
- Modifies registry key
PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&12⤵PID:2136
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8647 /f3⤵
- Modifies registry key
PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f >nul 2>&12⤵PID:3236
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f3⤵
- Modifies registry key
PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵PID:2236
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
PID:1112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵PID:3904
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f >nul 2>&12⤵PID:3200
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f >nul 2>&12⤵PID:1788
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f >nul 2>&12⤵PID:4652
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f >nul 2>&12⤵PID:4196
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f >nul 2>&12⤵PID:3152
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f >nul 2>&12⤵PID:1632
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f3⤵PID:276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f >nul 2>&12⤵PID:296
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f3⤵PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f >nul 2>&12⤵PID:5016
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f >nul 2>&12⤵PID:2572
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f >nul 2>&12⤵PID:5096
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f3⤵PID:3332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵PID:4360
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵PID:464
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
PID:332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&12⤵PID:4044
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f3⤵
- Modifies registry key
PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&12⤵PID:3024
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r8650_2197811954.9154-270663188322873 /f3⤵
- Modifies registry key
PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&12⤵PID:4420
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f3⤵
- Modifies registry key
PID:344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&12⤵PID:2592
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v8650} /f3⤵
- Modifies registry key
PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:1896
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee8650-21978-11954-9154} /f3⤵
- Modifies registry key
PID:1784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:728
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa8650-21978-11954-9154} /f3⤵
- Modifies registry key
PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&12⤵PID:620
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r8650 /f3⤵
- Modifies registry key
PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r%random% /f >nul 2>&12⤵PID:3068
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r8650 /f3⤵
- Modifies registry key
PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r%random% /f >nul 2>&12⤵PID:4780
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r8650 /f3⤵
- Modifies registry key
PID:2524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:4772
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd8650-21978-11954-9154} /f3⤵
- Modifies registry key
PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f >nul 2>&12⤵PID:2356
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d 8650 /f3⤵
- Modifies registry key
PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f >nul 2>&12⤵PID:2608
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d 8650 /f3⤵
- Modifies registry key
PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:3176
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f3⤵
- Modifies registry key
PID:1920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵PID:4856
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 8650-21978-11954-9154 /f3⤵
- Modifies registry key
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:4980
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8650-21978-11954-9154} /f3⤵
- Modifies registry key
PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d %random% /f >nul 2>&12⤵PID:380
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 8650 /f3⤵
- Modifies registry key
PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f >nul 2>&12⤵PID:1528
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f3⤵
- Enumerates system info in registry
PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f >nul 2>&12⤵PID:4500
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f3⤵
- Enumerates system info in registry
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f >nul 2>&12⤵PID:1276
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f3⤵
- Enumerates system info in registry
PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f >nul 2>&12⤵PID:2924
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f3⤵
- Enumerates system info in registry
PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&12⤵PID:2116
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&12⤵PID:5036
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&12⤵PID:2684
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f3⤵PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&12⤵PID:4512
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f >nul 2>&12⤵PID:5052
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:1092
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f3⤵
- Modifies registry key
PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵PID:916
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {8653-32726-29818-449} /f3⤵
- Modifies registry key
PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&12⤵PID:4816
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f3⤵PID:1788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
- Network Service Discovery
PID:4652 -
C:\Windows\system32\ARP.EXEarp -a3⤵
- Network Service Discovery
PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&12⤵PID:4196
-
C:\Windows\system32\ARP.EXEarp -d3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
- Network Service Discovery
PID:3152 -
C:\Windows\system32\ARP.EXEarp -a3⤵
- Network Service Discovery
PID:276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&12⤵PID:1632
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d