Analysis
-
max time kernel
18s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 00:18
General
-
Target
VixenCleaner.exe
-
Size
5.0MB
-
MD5
f896695ef615c4d5e09df4ccaa2984b5
-
SHA1
8f3517b2ecdf56d7372e7e89b35be6ee096f5292
-
SHA256
7ad75a6780417178b6026fe7f18a38dcb455e60d0f09391bbb9de6d9487c0526
-
SHA512
1aeb0b8f24354bce29df0855cd92456af1245f011918551ea383b2a9a1e0cd5add583b06fe541de771fd2507188e23446e022c0054187b20882e7c5393990516
-
SSDEEP
98304:Yxt16Pb/JC9apF5i6QzMffuhWMrd4wg4R6qVUlYL5jGTUp4c4gU:Yz8D/g9vzwfuo+2wz7VjGAp
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Network Service Discovery 1 TTPs 4 IoCs
Attempt to gather information on host's network.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 11 IoCs
-
Modifies registry key 1 TTPs 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"C:\Users\Admin\AppData\Local\Temp\VixenCleaner.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f fortnite* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f fortnite* /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f easyantiche* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f easyantiche* /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f beservice* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f beservice* /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicweb* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f epicweb* /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f epicgames* /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f epicgames* /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im /f WmiPrv* /f /t >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im /f WmiPrv* /f /t3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %localappdata%\FortniteGame\ >nul 2>&12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop easyanticheat3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_eos >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop easyanticheat_eos3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_eossys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop easyanticheat_eossys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheat_sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop easyanticheat_sys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop easyanticheatsys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop easyanticheatsys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bedaisy >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop bedaisy3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop beservice >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete easyanticheat3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_eos >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete easyanticheat_eos3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_eossys >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete easyanticheat_eossys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheat_sys >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete easyanticheat_sys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete easyanticheatsys >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete easyanticheatsys3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bedaisy >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete bedaisy3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete beservice >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc delete beservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EasyAntiCheat_EOS" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Khronos" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Khronos" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EasyAntiCheat_EOS" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Users\%username%\AppData\Local\EpicGamesLauncher\" >nul 2>&12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Khronos" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Khronos" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Khronos" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\EpicGames" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Epic Games" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start /MIN "" "C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E42⤵
-
C:\Windows\System32\VolumeID.exe"C:\Windows\System32\VolumeID.exe" -nobanner /accepteula C: 1C6E-93E43⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F "C:\Windows\System32\VolumeID.exe" >nul 2>&12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet >nul 2>&12⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im WmiPrv* /f /t >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /im WmiPrv* /f /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV Hostname /t REG_SZ /d 22745-25109-28971-13498 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r22745 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d "VK7JG-NPHTM-C97JM-9MPGT-3V66T" /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v ProductId /t REG_SZ /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v BiosData /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data" /v SMBiosData /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId0 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId1 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId2 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId3 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId4 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId5 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion" /v DigitalProductId6 /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d VK7JG-NPHTM-C97JM-9MPGT-3V66T /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLab /t REG_SZ /d r22748_308914067.4793-113512102223701 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r%random%_%random%%random%.%random%-%random%%random%%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildLabEx /t REG_SZ /d r22748_308914067.4793-113512102223701 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v22748} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {v22748} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v HwProfileGuid /t REG_SZ /d {xdfdfee22748-3089-14067-4793} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\HardwareProfiles\0001 /v GUID /t REG_SZ /d {faaeaa22748-3089-14067-4793} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v BuildGUID /t REG_SZ /d r22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOwner /t REG_SZ /d r22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d r22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd22748-3089-14067-4793} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallDate /t REG_SZ /d 22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion /v InstallTime /t REG_SZ /d 22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22748-3089-14067-4793} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 22748-3089-14067-4793 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22748-3089-14067-4793} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d %random% /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\WMI\Security /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d 22748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f3⤵
- Enumerates system info in registry
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f3⤵
- Enumerates system info in registry
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f3⤵
- Enumerates system info in registry
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f3⤵
- Enumerates system info in registry
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22751-13838-31931-28856} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {22751-13838-31931-28856} /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f >nul 2>&12⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Sysinternals" /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
- Network Service Discovery
-
C:\Windows\system32\ARP.EXEarp -a3⤵
- Network Service Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d >nul 2>&12⤵
-
C:\Windows\system32\ARP.EXEarp -d3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -a >nul 2>&12⤵
- Network Service Discovery
-
C:\Windows\system32\ARP.EXEarp -a3⤵
- Network Service Discovery
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&12⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
Filesize
8.5MB
-
Filesize
8KB
-
Filesize
8.5MB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8.5MB
-
Filesize
3.2MB
-
Filesize
8.5MB