d5b857f4972fea91c9d476905d4fb6f80de89df311da0dce83adfbef4d32d1b3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Toruney_Cleaner.exe
Size

135KB
MD5

03c9069653a814dd3a0d69d1431145eb
SHA1

d57ca643bfb63dc9df696054ff12770132a81038
SHA256

d5b857f4972fea91c9d476905d4fb6f80de89df311da0dce83adfbef4d32d1b3
SHA512

b7958fa0c0d2953ed4062f2e241f982377b4b0f990a179da9bf328a39e0a00b79ee76a537cd42482d2d782e33e36f390c85585d88fe16b882e67c4c9edd366cf
SSDEEP

768:EcLW2SN3ItwfkDG7FIMXVGBzn5v1QLKeJunPxrU+lP/X3Zwkin9Sbh9Sb:LLWDN4qfkDo8z5tMGP9U+BBBuC

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

Toruney_Cleaner.exe

description ioc process

File opened for modification C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64 Toruney_Cleaner.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.execmd.execmd.exe

pid process

2704 cmd.exe
2544 cmd.exe
2620 cmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries\Win64	Toruney_Cleaner.exe

pid	process
2704	cmd.exe
2544	cmd.exe
2620	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2756 taskkill.exe
2552 taskkill.exe
2012 taskkill.exe
1020 taskkill.exe
828 taskkill.exe

pid	process
2756	taskkill.exe
2552	taskkill.exe
2012	taskkill.exe
1020	taskkill.exe
828	taskkill.exe

Modifies registry key 1 TTPs 13 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1220	reg.exe
1432	reg.exe
2632	reg.exe
1756	reg.exe
1780	reg.exe
2644	reg.exe
2880	reg.exe
2800	reg.exe
2288	reg.exe
1900	reg.exe
2864	reg.exe
992	reg.exe
2728	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Toruney_Cleaner.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2688 wrote to memory of 2248	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2248	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2248	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2844	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2844	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2844	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2840	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2840	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2840	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2704	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2704	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2704	2688	Toruney_Cleaner.exe	cmd.exe
PID 2704 wrote to memory of 2756	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2756	2704	cmd.exe	taskkill.exe
PID 2704 wrote to memory of 2756	2704	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2544	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2544	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2544	2688	Toruney_Cleaner.exe	cmd.exe
PID 2544 wrote to memory of 2552	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2552	2544	cmd.exe	taskkill.exe
PID 2544 wrote to memory of 2552	2544	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2620	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2620	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2620	2688	Toruney_Cleaner.exe	cmd.exe
PID 2620 wrote to memory of 2012	2620	cmd.exe	taskkill.exe
PID 2620 wrote to memory of 2012	2620	cmd.exe	taskkill.exe
PID 2620 wrote to memory of 2012	2620	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 2168	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2168	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2168	2688	Toruney_Cleaner.exe	cmd.exe
PID 2168 wrote to memory of 1020	2168	cmd.exe	taskkill.exe
PID 2168 wrote to memory of 1020	2168	cmd.exe	taskkill.exe
PID 2168 wrote to memory of 1020	2168	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 1592	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1592	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1592	2688	Toruney_Cleaner.exe	cmd.exe
PID 1592 wrote to memory of 828	1592	cmd.exe	taskkill.exe
PID 1592 wrote to memory of 828	1592	cmd.exe	taskkill.exe
PID 1592 wrote to memory of 828	1592	cmd.exe	taskkill.exe
PID 2688 wrote to memory of 1640	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1640	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1640	2688	Toruney_Cleaner.exe	cmd.exe
PID 1640 wrote to memory of 2860	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 2860	1640	cmd.exe	reg.exe
PID 1640 wrote to memory of 2860	1640	cmd.exe	reg.exe
PID 2688 wrote to memory of 2876	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2876	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2876	2688	Toruney_Cleaner.exe	cmd.exe
PID 2876 wrote to memory of 1652	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 1652	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 1652	2876	cmd.exe	reg.exe
PID 2688 wrote to memory of 2920	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2920	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 2920	2688	Toruney_Cleaner.exe	cmd.exe
PID 2920 wrote to memory of 2912	2920	cmd.exe	reg.exe
PID 2920 wrote to memory of 2912	2920	cmd.exe	reg.exe
PID 2920 wrote to memory of 2912	2920	cmd.exe	reg.exe
PID 2688 wrote to memory of 1460	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1460	2688	Toruney_Cleaner.exe	cmd.exe
PID 2688 wrote to memory of 1460	2688	Toruney_Cleaner.exe	cmd.exe
PID 1460 wrote to memory of 2924	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 2924	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 2924	1460	cmd.exe	reg.exe
PID 2688 wrote to memory of 2932	2688	Toruney_Cleaner.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Toruney_Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Toruney_Cleaner.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @shift /0
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @shift /0
  2⤵
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSVendor /f
    3⤵
    - Enumerates system info in registry
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v BIOSReleaseDate /f
    3⤵
    - Enumerates system info in registry
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
    3⤵
    - Enumerates system info in registry
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemProductName /f
    3⤵
    - Enumerates system info in registry
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
  2⤵
  PID:2932
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\BIOS" /v SystemManufacturer /f
    3⤵
    - Enumerates system info in registry
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
  2⤵
  PID:3040
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f
    3⤵
    - Checks processor information in registry
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:2376
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Norc%random% /f
  2⤵
  PID:2604
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d Norc7469 /f
    3⤵
    - Modifies registry key
    PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Norc%random% /f
  2⤵
  PID:2640
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d Norc7469 /f
    3⤵
    - Modifies registry key
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be%random%} /f
  2⤵
  PID:2404
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {be7469} /f
    3⤵
    - Modifies registry key
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee%random%-%random%-%random%-%random%} /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v HwProfileGuid /t REG_SZ /d {fefefee7469-16245-29651-3781} /f
    3⤵
    - Modifies registry key
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v GUID /t REG_SZ /d {fefefe%random%-%random%-%random%-%random%} /f
  2⤵
  PID:1216
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware\Profiles\0001 /v GUID /t REG_SZ /d {fefefe7469-16245-29651-3781} /f
    3⤵
    - Modifies registry key
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v BuildGUID /t REG_SZ /d Norc%random% /f
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v BuildGUID /t REG_SZ /d Norc7469 /f
    3⤵
    - Modifies registry key
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d Norc%random% /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d Norc7469 /f
    3⤵
    - Modifies registry key
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d Norc%random% /f
  2⤵
  PID:1840
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d Norc7469 /f
    3⤵
    - Modifies registry key
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d Norc%random%-%random%-%random%-%random% /f
  2⤵
  PID:532
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d Norc7469-16245-29651-3781 /f
    3⤵
    - Modifies registry key
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d hello%random%-%random%-%random%-%random% /f
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d hello7469-16245-29651-3781 /f
    3⤵
    - Modifies registry key
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v ProductId /t REG_SZ /d 7469-16245-29651-3781 /f
    3⤵
    - Modifies registry key
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion /v InstallDate /t REG_SZ /d 7469 /f
    3⤵
    - Modifies registry key
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd%random%-%random%-%random%-%random%} /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {randomd7469-16245-29651-3781} /f
    3⤵
    - Modifies registry key
    PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads