f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
13s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/NXTcleaner.exe
Size

3.2MB
MD5

644399a0aff07bd4f7dc1eb5aa5c0236
SHA1

243f1f7bb95af8d3c44a270772f408c6febb06af
SHA256

5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
SHA512

73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508
SSDEEP

49152:MVmDUcyg2ImpoHJSt6Ia+CZEV2o8vMT3/nwlU5igpWV7JEW8np2Klad4j0Vs:MsgcypOSUI+qmJo+QZladTV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NXTcleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	NXTcleaner.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA34B2~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_computeaccelerator.inf	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0409\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\machine.inf	cmd.exe
File opened for modification	C:\Windows\INF\pnpxinternetgatewaydevices.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA1CBF~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netv1x64.inf	cmd.exe
File opened for modification	C:\Windows\INF\wave.inf	cmd.exe
File opened for modification	C:\Windows\INF\wsynth3dvsc.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA9B20~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_diskdrive.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0409\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\fidohid.inf	cmd.exe
File opened for modification	C:\Windows\INF\hdaudss.inf	cmd.exe
File opened for modification	C:\Windows\INF\xusb22.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbcir.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA004D~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\ialpssi_i2c.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_a2dp_snk.inf	cmd.exe
File opened for modification	C:\Windows\INF\multiprt.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrast.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvwifimp.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAE854~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0000\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\040C\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGatherer\0407\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NET Memory Cache 4.0\0000\netmemorycache_d.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA93EE~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\megasr.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\usbperfsym.h	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA190C~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAB7C5~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\wvmic_heartbeat.inf	cmd.exe
File opened for modification	C:\Windows\INF\bthleenum.inf	cmd.exe
File opened for modification	C:\Windows\INF\netbrdg.inf	cmd.exe
File opened for modification	C:\Windows\INF\TermService\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_multiportserial.inf	cmd.exe
File opened for modification	C:\Windows\INF\dwup-noregkeys.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidscanner.inf	cmd.exe
File opened for modification	C:\Windows\INF\umbus.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA3127~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\0000\_DataPerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\c_cashdrawer.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmetech.inf	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0407\PerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\wnetvsc_vfpp.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\ACTION~1.XML	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA10D1~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC111~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttme.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmsun2.inf	cmd.exe
File opened for modification	C:\Windows\INF\ntprint.inf	cmd.exe
File opened for modification	C:\Windows\INF\netr28ux.inf	cmd.exe
File opened for modification	C:\Windows\INF\RemoteAccess\0000\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA8848~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATST~2.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Data\0410\_DataPerfCounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\040C\_Networkingperfcounters_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\mdmdp2.inf	cmd.exe
File opened for modification	C:\Windows\INF\mrvlpcie8897.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_dot4print.inf	cmd.exe
File opened for modification	C:\Windows\INF\netmlx5.inf	cmd.exe
File opened for modification	C:\Windows\INF\wfpcapture.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF8A7~1.MUM	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exemsedge.exereg.exeConhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "10763-12089-16219483"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "10763-12089-16219483"	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "10760134131123"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4476 taskkill.exe
4980 taskkill.exe
496 taskkill.exe

pid	process
4476	taskkill.exe
4980	taskkill.exe
496	taskkill.exe

Modifies registry class 10 IoCs

Processes:

NXTcleaner.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\URL Protocol	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\DefaultIcon	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open\command	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell	NXTcleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open	NXTcleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\ = "URL:Run game 812970075899428864 protocol"	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe"	NXTcleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\discord-812970075899428864\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Meta Unban\\Cleaners\\NXTcleaner.exe"	NXTcleaner.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1704	reg.exe
5072	reg.exe
1180	reg.exe
100	reg.exe
2952	reg.exe
2700	reg.exe
1456	reg.exe
3880	reg.exe
2396	reg.exe
4244	reg.exe
4276	reg.exe
4476	reg.exe
3512	reg.exe
1468	reg.exe
2708	reg.exe
4752	reg.exe
5004	reg.exe
2452	reg.exe
4132	reg.exe
1696	reg.exe
2764	reg.exe
3776	reg.exe
3632	reg.exe
820	reg.exe
5072	reg.exe
1104	reg.exe
4212	reg.exe
488	reg.exe
2396	reg.exe
4196	reg.exe
1052	reg.exe
4004	reg.exe
636	reg.exe
5084	reg.exe
4212	reg.exe
488	reg.exe
3840	reg.exe
2292	reg.exe
4400	reg.exe
652	reg.exe
4212	reg.exe
4500	reg.exe
100	reg.exe
2992	reg.exe
2396	reg.exe
4736	reg.exe
1468	reg.exe
1816	reg.exe
1964	reg.exe
848	reg.exe
4132	reg.exe
3936	reg.exe
1124	reg.exe
1972	reg.exe
3004	reg.exe
2116	reg.exe
4900	reg.exe
3820	reg.exe
1052	reg.exe
1172	reg.exe
1816	reg.exe
3040	reg.exe
1052	reg.exe
4360	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3832 msedge.exe
3832 msedge.exe
3856 msedge.exe
3856 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NXTcleaner.exe

pid process

3656 NXTcleaner.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3856 msedge.exe
3856 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4476 taskkill.exe
Token: SeDebugPrivilege 4980 taskkill.exe
Token: SeDebugPrivilege 496 taskkill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3856 msedge.exe
3856 msedge.exe
3856 msedge.exe

pid	process
3832	msedge.exe
3832	msedge.exe
3856	msedge.exe
3856	msedge.exe

pid	process
3656	NXTcleaner.exe

pid	process
3856	msedge.exe
3856	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	496	taskkill.exe

pid	process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NXTcleaner.execmd.exemsedge.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3656 wrote to memory of 1100	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1100	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2736	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2736	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3716	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3716	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3832	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3832	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 652	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 652	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3820	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3820	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4496	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4496	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1964	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1964	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3544	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3544	3656	NXTcleaner.exe	cmd.exe
PID 3544 wrote to memory of 3856	3544	cmd.exe	msedge.exe
PID 3544 wrote to memory of 3856	3544	cmd.exe	msedge.exe
PID 3856 wrote to memory of 1564	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1564	3856	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3848	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3848	3656	NXTcleaner.exe	cmd.exe
PID 3848 wrote to memory of 4476	3848	cmd.exe	taskkill.exe
PID 3848 wrote to memory of 4476	3848	cmd.exe	taskkill.exe
PID 3656 wrote to memory of 5084	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 5084	3656	NXTcleaner.exe	cmd.exe
PID 5084 wrote to memory of 4980	5084	cmd.exe	taskkill.exe
PID 5084 wrote to memory of 4980	5084	cmd.exe	taskkill.exe
PID 3656 wrote to memory of 2644	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2644	3656	NXTcleaner.exe	cmd.exe
PID 2644 wrote to memory of 496	2644	cmd.exe	taskkill.exe
PID 2644 wrote to memory of 496	2644	cmd.exe	taskkill.exe
PID 3656 wrote to memory of 876	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 876	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2832	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2832	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2240	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 2240	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1808	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1808	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4676	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4676	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 5056	3656	NXTcleaner.exe	Conhost.exe
PID 3656 wrote to memory of 5056	3656	NXTcleaner.exe	Conhost.exe
PID 3656 wrote to memory of 4236	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4236	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1116	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 1116	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4444	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 4444	3656	NXTcleaner.exe	cmd.exe
PID 3656 wrote to memory of 3836	3656	NXTcleaner.exe	msedge.exe
PID 3656 wrote to memory of 3836	3656	NXTcleaner.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 3580	3856	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\NXTcleaner.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:1100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
2⤵
- Drops file in Windows directory
PID:3716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
2⤵
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
2⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
2⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
2⤵
- Drops file in Windows directory
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://nxt.lol/
2⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://nxt.lol/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc820946f8,0x7ffc82094708,0x7ffc82094718
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
4⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
4⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
4⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
4⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
4⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
4⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
4⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
4⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
4⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ed865460,0x7ff6ed865470,0x7ff6ed865480
5⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15921977902638786441,6545606337885431659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
4⤵
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
2⤵
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
2⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
2⤵
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
2⤵
PID:4676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
2⤵
PID:5056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
2⤵
PID:4236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
2⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
2⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
2⤵
PID:3836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
2⤵
PID:2684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
2⤵
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
2⤵
PID:4940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
2⤵
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
2⤵
PID:4280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
2⤵
PID:4740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
2⤵
PID:4224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
2⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
2⤵
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
2⤵
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
2⤵
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
2⤵
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
2⤵
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
2⤵
PID:4668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
2⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:3028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
2⤵
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
2⤵
PID:4600

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
3⤵
- Modifies registry key
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
2⤵
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
2⤵
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4244

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f
3⤵
- Modifies registry key
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /a:h /a:a /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
2⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
2⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1964

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
- Modifies registry key
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
2⤵
PID:4252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
2⤵
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4736

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1075723361132581789323326737026607228981683628974333020926 /f
3⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:4212

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-10757 /f
3⤵
PID:3032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
2⤵
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:1468

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-10757 /f
3⤵
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
2⤵
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
2⤵
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2604

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 10760-1341-31123-9188 /f
3⤵
PID:5016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
2⤵
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random} /f
2⤵
PID:4736

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {10760-%random} /f
3⤵
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
2⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
2⤵
PID:3284

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 10760134131123 /f
3⤵
PID:668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
2⤵
PID:3312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random% /f
2⤵
PID:5084

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 10760 /f
3⤵
- Modifies registry key
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
2⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:3820

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 10760 /f
3⤵
- Modifies registry key
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
2⤵
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%%random%%random% /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 10760134131123 /f
3⤵
- Enumerates system info in registry
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
2⤵
PID:452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:3676

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10760-1341-311239188} /f
3⤵
- Modifies registry key
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
2⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5056

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {10760-1341-311239188} /f
3⤵
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
2⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:3816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2992

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {10763-12089-16219483} /f
3⤵
- Modifies registry key
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:4360

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:4004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
2⤵
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:1920

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
2⤵
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:652

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 10763-12089-16219483 /f
3⤵
PID:5056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
2⤵
PID:4240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:1336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1928

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
2⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3816

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:4752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
2⤵
PID:2624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2064

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
2⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
2⤵
PID:4940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3676

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 10763-12089-16219483 /f
3⤵
- Modifies registry key
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
2⤵
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:3828

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {10763-12089-16219483} /f
3⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
2⤵
PID:2640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
- Checks processor information in registry
PID:2116

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {10763-12089-16219483} /f
3⤵
- Modifies registry key
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
2⤵
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:2152

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-10766 /f
3⤵
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
2⤵
PID:100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
2⤵
PID:980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3880

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 10766 /f
3⤵
- Modifies registry key
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
2⤵
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
2⤵
PID:2972

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 10766 /f
3⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
2⤵
PID:3748

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-10766 /f
3⤵
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
2⤵
PID:3288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:3280

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {10766-22838-1315-2454721501} /f
3⤵
- Modifies registry key
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
2⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
2⤵
PID:2328

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {10766-22838-1315-2454721501} /f
3⤵
- Modifies registry key
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
2⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
2⤵
PID:3184

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 10766 /f
3⤵
PID:4268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
2⤵
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
2⤵
PID:668

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 10766 /f
3⤵
- Modifies registry key
PID:3840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
2⤵
PID:1620

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 10766 /f
3⤵
- Modifies registry key
PID:4360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:2952

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 10766-22838-1315-24547 /f
3⤵
- Modifies registry key
PID:636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4940

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 10770-818-19179-15842 /f
3⤵
- Modifies registry key
PID:5084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%-%random%-%random%-%random% /f
2⤵
PID:4752

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 10770-818-19179-15842 /f
3⤵
- Modifies registry key
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random% /f
2⤵
PID:1816

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 10770 /f
3⤵
- Modifies registry key
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
2⤵
PID:3708

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 10770 /f
3⤵
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
2⤵
PID:4192

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 10770 /f
3⤵
- Modifies registry key
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%-%random%-%random%-%random%} /f
2⤵
PID:2328

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {10770-818-19179-15842} /f
3⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
2⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4252

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
3⤵
- Modifies registry key
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
2⤵
PID:3288

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 10770-818-19179-1584231816 /f
3⤵
- Modifies registry key
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
2⤵
PID:100

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
- Enumerates system info in registry
- Modifies registry key
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
2⤵
PID:4196

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
- Modifies registry key
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
2⤵
PID:1456

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
- Modifies registry key
PID:488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
2⤵
PID:1864

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:4244

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:2452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:4500

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:1104

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
- Modifies registry key
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:3512

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:2052

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:3936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
2⤵
PID:1008

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
- Modifies registry key
PID:4400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:4132

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:1172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3032

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1620

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
2⤵
PID:2628

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
- Modifies registry key
PID:4196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:4212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3136

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Enumerates system info in registry
PID:2396

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 10776-22315-2213931201 /f
3⤵
- Modifies registry key
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
2⤵
PID:2684

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
- Modifies registry key
PID:1180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
2⤵
PID:4132

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
3⤵
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
2⤵
PID:1864

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
- Modifies registry key
PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
2⤵
PID:4940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4360

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
2⤵
PID:1104

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
- Modifies registry key
PID:4212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
2⤵
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3820

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
- Modifies registry key
PID:3512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
2⤵
PID:2628

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
- Modifies registry key
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 10780295723622496299922089156262407134518706229521234 /f
3⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:404

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 10783-11044-2510013791 /f
3⤵
- Modifies registry key
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:1696

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 10783-11044-2510013791 /f
3⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 10783-11044-2510013791 /f
3⤵
- Modifies registry key
PID:3004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
2⤵
PID:100

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
PID:3288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 10783-11044-2510013791 /f
3⤵
- Modifies registry key
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%%random% /f
2⤵
PID:3032

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 10783-11044-2510013791 /f
3⤵
- Modifies registry key
PID:488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
2⤵
PID:2700

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
2⤵
PID:3312

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
- Modifies registry key
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
2⤵
PID:5052

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
- Modifies registry key
PID:2708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1648

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
2⤵
PID:5116

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
2⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4940

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
2⤵
PID:404

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
PID:3632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
2⤵
PID:1104

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
- Modifies registry key
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 1078621792101965087178539943218512932116006409199921322 /f
3⤵
PID:2708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4500

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 10786217921019650871785399432185129321160064091999 /f
3⤵
- Modifies registry key
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:452

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 1078621792101965087178539943218512932116006409 /f
3⤵
- Modifies registry key
PID:2764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:4240

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 107893254128060291502816713869249632639318112261185121366 /f
3⤵
- Modifies registry key
PID:3776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1456

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 107893254128060291502816713869249632639318112261185121366 /f
3⤵
- Modifies registry key
PID:3632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2272

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f
3⤵
- Modifies registry key
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:1696

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f
3⤵
PID:564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:2708

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 107893254128060291502816713869249632639318112 /f
3⤵
- Modifies registry key
PID:1456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4132

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 107931052113156 /f
3⤵
- Modifies registry key
PID:1052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:388

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 107931052113156 /f
3⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4212

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 107931052113156 /f
3⤵
- Modifies registry key
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
2⤵
PID:1052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4500

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 107931052113156 /f
3⤵
- Modifies registry key
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
2⤵
PID:3996

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 107931052113156204455714177962807623466185526881170321410 /f
3⤵
- Modifies registry key
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
2⤵
PID:4192

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {10793-10521-1315620445} /f
3⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\IME\Cleaner.exe
2⤵
PID:2292

C:\Windows\IME\Cleaner.exe
C:\Windows\IME\Cleaner.exe
3⤵
PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:892

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E02~1
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C5~1
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E02~1
Filesize
230B

MD5
98d2897450ff69f9be8a0141b6faccc0

SHA1
c90a0ba7ed6b5d0d39ad656f2d644f7a0f4216e8

SHA256
05e354da936187f1e4aa5a528478ec320780f93eaf0ad8033f8acbb27277ad21

SHA512
6889ffb5bfff924cda0510a4de4ba4e54770b1b30763cc0558d475c2eed1d1672b8150dfeaf7c7fda9f375964fddccbdae7e5914be44334a07f3cba7bef5b999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C5~1
Filesize
252B

MD5
c92ab58957ba84d179bfc937f625db4c

SHA1
1916bd7f565f4eebe70bc1d897943d4256eac547

SHA256
ffa1083c4879fdd58af09e0e575250920b02e56019112e3916a1c3e83b28148b

SHA512
f7a2278ecc652742042d8b690f27d57ee096d19ca68416e291dfc69529af4bcd7e9eeacffa43862592609486135ddc19d1c96c0ed20f0d258c7e6d7a04af25e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
3aa372689001b237d92266935083776d

SHA1
854d9c6a480c5121be60801be90a2656e271bd50

SHA256
a0d46d5faca199fd6ebf163c1adb552bb33b2118a197c52adcd57e87da9457d7

SHA512
08cbce01455d7b9d35207eb83ee2d764b57aeb5828a59861979bce542e4864fab48d8525c2441306e0bd72b844996657057de70018994883c4a2c4ca97c7c119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c43be34c368075f338ab382a1ebd8ff7

SHA1
468a42088be057e2a57c72a27bfb993a3b814776

SHA256
2c965c7a4b05d079cb57044f708a59e4952f7f249e31c5050a7b669df78d73ae

SHA512
6ba3443302d5adefb717eda04e9152bf553b649027222233ce933d4c842986d737e719d033bda7b0a0f4fb74e5ae88a36a01c1bb0dd9f1e34f22a963ae2c6acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
78664cc38fb5430c1415d900b06984ef

SHA1
f6e3d7bcec1fa4350484f999817fd3e36f1cffd7

SHA256
e06ec1c8bb629844867f059018c300afece6ca1b2470c8e1f09d5d25378a3c5d

SHA512
81e2b6322d256673fa416758a402add410633832091a57bbe551efd166c638231a28dd3efec4b5030b6eef6b97a468c00b1a8c780d716cc5e35ee7318fe853cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
7d9bdd8f8a2e11b828297732b34cf781

SHA1
d1f3fca0749d410cf3c8b8e8d619753d65bd2594

SHA256
4d324cd7f3cb145ffa5d274962b693426380fd69cb7f94618ff7de47a6d9af39

SHA512
6f241fa672129fdad6f6041fa1b0286749a3c0847beddaf8712f9a667355303f3f6609a21b23a1f78b36165f143ef9cf80d67d941dcf2e51f3e5bd90b827e74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
67df2d7de50d2adbdfbcecd0ad709662

SHA1
50732db3c5618aa9ac024f039477c9199f9c4557

SHA256
02733a2c90e5d88d6bca71e7d68e4f2ca397324fc77844631473f0a050068f58

SHA512
368962e3ae7dfde23a0895176f6127c04196f6559e35c67c3e61f86fe071de80a23d10aef77f3eff26d342dcfd360ab4271e48b35ec7f787e1d70308a469ab3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7070cd16-a070-4de2-bc00-fdbaae24b59e.tmp
Filesize
336KB

MD5
811aa30f0f78027d6d5b7c05b5d0d43c

SHA1
e44c36b10217394e99fbaf33c78dfbad6714f66b

SHA256
3641f686c61b5c77f91fa3145471d75d534610f84db773e6224d2043ff9424fc

SHA512
00feff18c071d30a0923a81395df8a851632fc5be99c18695dd6c2fca9ae298fc087322e62b5bddb215a7e689ec895876a1e45eff95856a76be77b20bf76dbdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
1d3d3ade692fb6a9e026e0cd604d391c

SHA1
38d4c086fe6cb86de3c7d1936b312730a8ec42b0

SHA256
10d90d7ef26cb345211770c1ed067419508164546935a11f8e2a029dec2f1f07

SHA512
b15e3adbd5c68a4e3cb40eb4fd056925032386748669917645ae3a103be35f41af0edfd85de5fd08f7be3dc65f870604c625fe8bb94a2201c3c9ecebc6dc2de1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
26b15e6052e9b1b469e7f6466ad48563

SHA1
fecc950f579b482fb2386a2ac15b3465c65f437a

SHA256
a27f4884dffeb426a0390ea92568bf51045fa044a12f79e5d75658e909338c1f

SHA512
d13679a2702729c412a2f81116b8a8142136bbe7426e53f1b9182b6340e3f3a6528ed047d919128bafa969e248e2920347c485a07af47af17e99e9402435eb77

Download Submit
C:\Windows\IME\Cleaner.exe
Filesize
177KB

MD5
1b3a357945856b2186a82acf9ac66f21

SHA1
3fb0f26d19d861b888cebdaa36b09804d8109e91

SHA256
df9539f46b9d48b3ee99546efaa31f8c3d205aa4a0f8e0f1f9f116a354b404f9

SHA512
e0c31442d3cc896a2a6937b74cd7155501d4d342df3f0dd1d92e91973f0c549ba5cc7fe819e4aea5e9461dbdecd711e8f0440091ca130dd17e1713d25a5a5b4d

Download Submit
C:\Windows\IME\Cleaner.exe
Filesize
177KB

MD5
1b3a357945856b2186a82acf9ac66f21

SHA1
3fb0f26d19d861b888cebdaa36b09804d8109e91

SHA256
df9539f46b9d48b3ee99546efaa31f8c3d205aa4a0f8e0f1f9f116a354b404f9

SHA512
e0c31442d3cc896a2a6937b74cd7155501d4d342df3f0dd1d92e91973f0c549ba5cc7fe819e4aea5e9461dbdecd711e8f0440091ca130dd17e1713d25a5a5b4d

Download Submit
C:\Windows\TEMP\MsEdgeCrashpad\settings.dat
Filesize
152B

MD5
9442f28ca4f9239ed5428d9210e3c175

SHA1
a097e87a892d028e568f2f55fae7a32f3396ce03

SHA256
87328fc0c45ad09258532f37f815b42b666908410659e5248b59546310e18882

SHA512
09577651a672b6971a83704b4d9851672818a1193d2b24dbcd143284e60e5cfb0262e8cfd14135df40c37b7954ff436f57ff2a9001392ef3d925e33d0d8a5e21

Download Submit
C:\Windows\TEMP\MsEdgeCrashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
\??\pipe\LOCAL\crashpad_3856_FTGYRKAGVDARPSLM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3656-133-0x0000000140000000-0x0000000140567000-memory.dmp

Filesize
5.4MB

Download