b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68

System Information Discovery

Processes:

applecleanS3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleanS3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleanS3.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/776-55-0x000000013F930000-0x0000000140206000-memory.dmp	themida
behavioral1/memory/776-56-0x000000013F930000-0x0000000140206000-memory.dmp	themida
behavioral1/memory/776-57-0x000000013F930000-0x0000000140206000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

applecleanS3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleanS3.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

applecleanS3.exe

pid process

776 applecleanS3.exe
Drops file in Windows directory 2 IoCs

Processes:

applecleanS3.exe

description ioc process

File created C:\Windows\IME\devcon.exe applecleanS3.exe
File created C:\Windows\IME\network.bat applecleanS3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleanS3.exe

pid	process
776	applecleanS3.exe

description	ioc	process
File created	C:\Windows\IME\devcon.exe	applecleanS3.exe
File created	C:\Windows\IME\network.bat	applecleanS3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-1091-29961-185823583"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-10912996118582"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-1091-29961-185823583"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe

Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

1952 ipconfig.exe
240 ipconfig.exe
592 ipconfig.exe
996 ipconfig.exe
1752 ipconfig.exe
1928 ipconfig.exe

pid	process
1952	ipconfig.exe
240	ipconfig.exe
592	ipconfig.exe
996	ipconfig.exe
1752	ipconfig.exe
1928	ipconfig.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
580	taskkill.exe
340	taskkill.exe
1744	taskkill.exe
636	taskkill.exe
1720	taskkill.exe
964	taskkill.exe
1320	taskkill.exe
1700	taskkill.exe
1676	taskkill.exe
1176	taskkill.exe
1708	taskkill.exe
1780	taskkill.exe
868	taskkill.exe
1592	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 10971869021542189413100730324266803067729622	reg.exe

Modifies registry class 5 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Interface\ClsidStore = 01094794236782764620692263972356783613111193543249420456	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Installer\Dependencies\MSICache = 109718690215421894131007303242668030677296221320632347	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1508	reg.exe
768	reg.exe
1176	reg.exe
1684	reg.exe
1956	reg.exe
1412	reg.exe
1176	reg.exe
1080	reg.exe
636	reg.exe
1720	reg.exe
1220	reg.exe
932	reg.exe
952	reg.exe
1148	reg.exe
2044	reg.exe
1688	reg.exe
1636	reg.exe
1824	reg.exe
1876	reg.exe
1956	reg.exe
568	reg.exe
636	reg.exe
1696	reg.exe
568	reg.exe
1624	reg.exe
1992	reg.exe
1700	reg.exe
1720	reg.exe
1220	reg.exe
1676	reg.exe
916	reg.exe
1652	reg.exe
1888	reg.exe
1924	reg.exe
1304	reg.exe
568	reg.exe
1652	reg.exe
2032	reg.exe
932	reg.exe
868	reg.exe
1216	reg.exe
1708	reg.exe
1876	reg.exe
1532	reg.exe
1360	reg.exe
952	reg.exe
1696	reg.exe
592	reg.exe
1824	reg.exe
996	reg.exe
768	reg.exe
916	reg.exe
1924	reg.exe
1508	reg.exe
1652	reg.exe
1176	reg.exe
2040	reg.exe
340	reg.exe
1148	reg.exe
1600	reg.exe
1132	reg.exe
2040	reg.exe
2032	reg.exe
2044	reg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

applecleanS3.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 568	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 568	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 568	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1732	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1732	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1732	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 564	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 564	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 564	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1824	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1824	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1824	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2032	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2032	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2032	776	applecleanS3.exe	cmd.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	taskkill.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	taskkill.exe
PID 2032 wrote to memory of 1176	2032	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1980	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1980	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1980	776	applecleanS3.exe	cmd.exe
PID 1980 wrote to memory of 1700	1980	cmd.exe	taskkill.exe
PID 1980 wrote to memory of 1700	1980	cmd.exe	taskkill.exe
PID 1980 wrote to memory of 1700	1980	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1724	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1724	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1724	776	applecleanS3.exe	cmd.exe
PID 1724 wrote to memory of 580	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 580	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 580	1724	cmd.exe	taskkill.exe
PID 776 wrote to memory of 2020	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2020	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2020	776	applecleanS3.exe	cmd.exe
PID 2020 wrote to memory of 340	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 340	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 340	2020	cmd.exe	taskkill.exe
PID 776 wrote to memory of 920	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 920	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 920	776	applecleanS3.exe	cmd.exe
PID 920 wrote to memory of 964	920	cmd.exe	taskkill.exe
PID 920 wrote to memory of 964	920	cmd.exe	taskkill.exe
PID 920 wrote to memory of 964	920	cmd.exe	taskkill.exe
PID 776 wrote to memory of 2036	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2036	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 2036	776	applecleanS3.exe	cmd.exe
PID 2036 wrote to memory of 1708	2036	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 1708	2036	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 1708	2036	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1080	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1080	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1080	776	applecleanS3.exe	cmd.exe
PID 1080 wrote to memory of 1744	1080	cmd.exe	taskkill.exe
PID 1080 wrote to memory of 1744	1080	cmd.exe	taskkill.exe
PID 1080 wrote to memory of 1744	1080	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1908	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1908	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1908	776	applecleanS3.exe	cmd.exe
PID 1908 wrote to memory of 636	1908	cmd.exe	taskkill.exe
PID 1908 wrote to memory of 636	1908	cmd.exe	taskkill.exe
PID 1908 wrote to memory of 636	1908	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1344	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1344	776	applecleanS3.exe	cmd.exe
PID 776 wrote to memory of 1344	776	applecleanS3.exe	cmd.exe
PID 1344 wrote to memory of 1320	1344	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\applecleanS3.exe
"C:\Users\Admin\AppData\Local\Temp\applecleanS3.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 0b
2⤵
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /f /im steam.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1956

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:608

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
PID:592

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
2⤵
PID:1500

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
2⤵
PID:568

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
- Modifies registry key
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
- Modifies registry key
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:636

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-1091 /f
3⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-1091 /f
3⤵
- Modifies registry key
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:1216

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple1091-29961-18582-3583 /f
3⤵
- Modifies registry key
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-1091-%random} /f
3⤵
- Modifies registry key
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:1752

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-10912996118582 /f
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
2⤵
PID:908

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-1091 /f
3⤵
- Modifies registry key
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
2⤵
PID:1716

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-1091 /f
3⤵
- Modifies registry key
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
2⤵
PID:340

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-10912996118582 /f
3⤵
- Enumerates system info in registry
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:956

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-1091-29961-185823583} /f
3⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1004

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-1091-29961-185823583} /f
3⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1740

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-1091-29961-185823583} /f
3⤵
- Modifies registry key
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1592

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
- Modifies registry key
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1132

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1080

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
- Modifies registry key
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
- Modifies registry key
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1548

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1320

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-1091-29961-185823583 /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-1091-29961-185823583} /f
3⤵
- Modifies registry key
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
2⤵
PID:1684

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-1091-29961-185823583} /f
3⤵
- Modifies registry key
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:536

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-1091 /f
3⤵
- Modifies registry key
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 1091 /f
3⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:2008

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 1091 /f
3⤵
- Modifies registry key
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:580

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-1091 /f
3⤵
- Modifies registry key
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
2⤵
PID:1952

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple1091-29961-18582-358310378} /f
3⤵
- Modifies registry key
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:608

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple1091-29961-18582-358310378} /f
3⤵
- Modifies registry key
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:1196

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 1091 /f
3⤵
- Modifies registry key
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:920

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 1091 /f
3⤵
- Modifies registry key
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:1596

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 1091 /f
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:1680

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 1091-29961-18582-3583 /f
3⤵
- Modifies registry key
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
2⤵
PID:2036

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple1091-29961-18582-3583 /f
3⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
2⤵
PID:1316

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple1091 /f
3⤵
- Modifies registry key
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:1500

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 1094 /f
3⤵
- Modifies registry key
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:1732

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 1094 /f
3⤵
- Modifies registry key
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
2⤵
PID:1744

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple1094-7942-3678-27646} /f
3⤵
- Modifies registry key
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1436

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:1908

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 1094-7942-3678-2764620692 /f
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:928

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Modifies registry key
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:1932

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:544

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:1344

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:1780

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:1948

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1752

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:908

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:1716

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
2⤵
PID:240

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
- Modifies registry key
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:964

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:956

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
- Modifies registry key
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1740

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1636

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:564

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
- Modifies registry key
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:1132

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:1080

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:1384

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:1548

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
2⤵
PID:1320

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 1094794236782764620692263972356783613111193543249420456 /f
3⤵
- Modifies registry class
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1684

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:536

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
- Modifies registry key
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:2008

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
- Modifies registry key
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:580

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
2⤵
PID:1952

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-1094-7942-367827646 /f
3⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
2⤵
PID:608

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
- Modifies registry key
PID:2044

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
2⤵
PID:1196

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
- Modifies registry key
PID:1676

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
2⤵
PID:920

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1596

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
- Modifies registry key
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:1680

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
- Modifies registry key
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
2⤵
PID:2036

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
- Modifies registry key
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Windows\IME\network.bat
3⤵
PID:1876

C:\Windows\system32\netsh.exe
NETSH WINSOCK RESET
4⤵
PID:1132

C:\Windows\system32\netsh.exe
NETSH INT IP RESET
4⤵
PID:1076

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV4 RESET
4⤵
PID:1892

C:\Windows\system32\netsh.exe
NETSH INTERFACE IPV6 RESET
4⤵
PID:792

C:\Windows\system32\netsh.exe
NETSH INTERFACE TCP RESET
4⤵
PID:1700

C:\Windows\system32\netsh.exe
NETSH INT RESET ALL
4⤵
PID:1344

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
4⤵
- Gathers network information
PID:996

C:\Windows\system32\ipconfig.exe
IPCONFIG /RELEASE
4⤵
- Gathers network information
PID:1752

C:\Windows\system32\ipconfig.exe
IPCONFIG /FLUSHDNS
4⤵
- Gathers network information
PID:1928

C:\Windows\system32\nbtstat.exe
NBTSTAT -R
4⤵
PID:1676

C:\Windows\system32\nbtstat.exe
NBTSTAT -RR
4⤵
PID:1572

C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
4⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
2⤵
PID:1316

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1500

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
- Modifies registry key
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
2⤵
PID:1732

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
3⤵
- Modifies registry key
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
2⤵
PID:1744

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
- Checks processor information in registry
- Modifies registry key
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
2⤵
PID:1436

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
3⤵
- Modifies registry key
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
2⤵
PID:1908

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
3⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
2⤵
PID:928

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
3⤵
- Modifies registry key
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
2⤵
PID:1932

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
3⤵
- Modifies registry key
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
2⤵
PID:544

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
3⤵
- Modifies registry key
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1344

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 10971869021542189413100730324266803067729622132063234720500 /f
3⤵
- Modifies registry key
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1780

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 109718690215421894131007303242668030677296221320632347 /f
3⤵
- Modifies registry class
- Modifies registry key
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1948

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1097186902154218941310073032426680306772962213206 /f
3⤵
- Modifies registry key
PID:952

C:\Windows\system32\netsh.exe
netsh advfirewall reset
4⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1752

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 10971869021542189413100730324266803067729622132063234720500 /f
3⤵
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:908

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 10971869021542189413100730324266803067729622132063234720500 /f
3⤵
- Modifies registry key
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1716

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 10971869021542189413100730324266803067729622 /f
3⤵
- Modifies Internet Explorer settings
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:240

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 10971869021542 /f
3⤵
PID:1004

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:964

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 10971869021542 /f
3⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:956

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 10971869021542 /f
3⤵
- Modifies registry key
PID:1508

C:\Windows\system32\netsh.exe
netsh interface ip delete arpcache
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 10971869021542 /f
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 10971869021542189413100730324266803067729622132063234720500 /f
3⤵
- Modifies registry key
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
2⤵
PID:1740

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.1097.18690-21542_1894131007 /f
3⤵
- Modifies registry key
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
2⤵
PID:1636

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {1097-18690-21542-18941} /f
3⤵
- Modifies registry key
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
2⤵
PID:564

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh winsock reset
2⤵
PID:1384

C:\Windows\system32\netsh.exe
netsh winsock reset
3⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh int ip reset
2⤵
PID:1704

C:\Windows\system32\netsh.exe
netsh int ip reset
3⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall reset
2⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /release
2⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /renew
2⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
2⤵
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\IME\network.bat
2⤵
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

4

System Information Discovery

5

Virtualization/Sandbox Evasion