cerber | 7c89499d85795d6727f8d864733b78870f3ce076ed4aa065c8f8cc44ee126b1f

System Information Discovery

Processes:

Trinity Cleaner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trinity Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = e000e6008100d500a00002000000	Trinity Cleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks system information in the registry 2 TTPs 14 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "/ve"
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "25203-271472146725173"
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "/ve"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "/ve"
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "25203-271472146725173"
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "25203-271472146725173"
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "25203-271472146725173"

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\INF\mdmcxpv6.inf
File opened for modification	C:\Windows\INF\wnetvsc_vfpp.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\CORPerfMonSymbols.h
File opened for modification	C:\Windows\INF\mdmgl005.inf
File opened for modification	C:\Windows\INF\megasas.inf
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_SKL.inf
File opened for modification	C:\Windows\INF\mdmnis1u.inf
File opened for modification	C:\Windows\INF\TERMSE~1\tslabels.h
File opened for modification	C:\Windows\INF\NETCLR~1.0\_Networkingperfcounters.ini
File opened for modification	C:\Windows\INF\wfplwfs.inf
File opened for modification	C:\Windows\INF\errata.inf
File opened for modification	C:\Windows\INF\nettun.inf
File opened for modification	C:\Windows\INF\c_fscopyprotection.inf
File opened for modification	C:\Windows\INF\ialpssi_gpio.inf
File opened for modification	C:\Windows\INF\MSDTCB~2.0\0407\_TransactionBridgePerfCounters_D.ini
File opened for modification	C:\Windows\INF\netrasa.inf
File opened for modification	C:\Windows\INF\c_display.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttd2.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_nettrans.inf
File opened for modification	C:\Windows\INF\wsynth3dvsc.inf
File opened for modification	C:\Windows\INF\wmiacpi.inf
File opened for modification	C:\Windows\INF\ipoib6x.inf
File opened for modification	C:\Windows\INF\netwns64.inf
File opened for modification	C:\Windows\INF\usbcir.inf	cmd.exe
File opened for modification	C:\Windows\INF\mrvlpcie8897.inf
File opened for modification	C:\Windows\INF\wave.inf
File opened for modification	C:\Windows\INF\lsi_sss.inf
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netwns64.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcomp.inf
File opened for modification	C:\Windows\INF\mdmaiwa5.inf
File opened for modification	C:\Windows\INF\hpsamd.inf	cmd.exe
File opened for modification	C:\Windows\INF\uaspstor.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmgl009.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvmgid.inf
File opened for modification	C:\Windows\INF\mdmags64.inf
File opened for modification	C:\Windows\INF\mdmpace.inf
File opened for modification	C:\Windows\INF\mdmsier.inf	cmd.exe
File opened for modification	C:\Windows\INF\net44amd.inf
File opened for modification	C:\Windows\INF\UGATHE~1\0000\gsrvctr.ini
File opened for modification	C:\Windows\INF\hidbatt.inf
File opened for modification	C:\Windows\INF\prncacla.inf
File opened for modification	C:\Windows\INF\UGTHRSVC\0000\gthrctr.ini
File opened for modification	C:\Windows\INF\mdmtdkj5.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdcm6.inf
File opened for modification	C:\Windows\INF\mdmgl003.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fscontinuousbackup.inf
File opened for modification	C:\Windows\INF\npsvctrig.inf
File opened for modification	C:\Windows\INF\c_bluetooth.inf
File opened for modification	C:\Windows\INF\mdmarn.inf
File opened for modification	C:\Windows\INF\mdmsun2.inf
File opened for modification	C:\Windows\INF\WSEARC~1\0411\idxcntrs.ini
File opened for modification	C:\Windows\INF\mdmaiwat.inf
File opened for modification	C:\Windows\INF\megasas2i.inf
File opened for modification	C:\Windows\INF\scrawpdo.inf
File opened for modification	C:\Windows\INF\usbvideo.inf	cmd.exe
File opened for modification	C:\Windows\INF\volmgr.inf
File opened for modification	C:\Windows\INF\c_netdriver.inf
File opened for modification	C:\Windows\INF\mdmbw561.inf
File opened for modification	C:\Windows\INF\c_monitor.inf
File opened for modification	C:\Windows\INF\rdyboost\0409\ReadyBoostPerfCounters.ini
File opened for modification	C:\Windows\INF\scmvolume.inf
File opened for modification	C:\Windows\INF\wvmbushid.inf
File opened for modification	C:\Windows\INF\rt640x64.inf	cmd.exe

Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1456 sc.exe
2788 sc.exe
2308 sc.exe
4616 sc.exe
5076 sc.exe
2336 sc.exe
1488 sc.exe
4672 sc.exe
4644 sc.exe
1932 sc.exe
5112 sc.exe
2924 sc.exe
4636 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1456	sc.exe
2788	sc.exe
2308	sc.exe
4616	sc.exe
5076	sc.exe
2336	sc.exe
1488	sc.exe
4672	sc.exe
4644	sc.exe
1932	sc.exe
5112	sc.exe
2924	sc.exe
4636	sc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

reg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exeTrinity Cleaner.exereg.exereg.exereg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "25193-27670-642-1851912603"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion = "25206-5127"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "@6‚Õ\u00a0\x02"	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "25206-5127"
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Trinity Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25190-169211554627224"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "25190-16921-15546-272242289"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "/ve"
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "/ve"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "25203-271472146725173"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "/ve"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "25206-5127"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "25190-16921-15546-272242289"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "25206-5127"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25206-5127"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "25206-5127"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "25206-5127"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "25193-27670-642-1851912603"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "25203-271472146725173"
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "@6‚Õ\u00a0\x02"	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "25206-5127"
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "25206-5127"
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "25193-2767064218519"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2668
4888
4392
2488 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

pid process

4552

pid	process
2668
4888
4392
2488	ipconfig.exe

pid	process
4552

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2756	taskkill.exe
4776	taskkill.exe
4540	taskkill.exe
4348	taskkill.exe
2772	taskkill.exe
4012	taskkill.exe
2468	taskkill.exe
4288	taskkill.exe
3612	taskkill.exe
1952	taskkill.exe
2888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 025193276706421851912603162123266617219584	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 25200163993602111046494752949131719839	reg.exe

Modifies registry class 9 IoCs

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Interface\ClsidStore = 02519656501850698142291855482637832453327156271940427915	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Installer\Dependencies\MSICache = 025200163993602111046494752949131719839947919256	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Interface\ClsidStore = 25193276706421851912603162123266617219584217751955227871	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Installer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000_Classes\Installer\Dependencies\MSICache = 0251932767064218519126031621232666172195842177519552	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2980	reg.exe
3540	reg.exe
364	reg.exe
4316	reg.exe
780	reg.exe
3060	reg.exe
3408	reg.exe
1848	reg.exe
4696	reg.exe
4452	reg.exe
676	reg.exe
4212	reg.exe
4392	reg.exe
3924	reg.exe
400	reg.exe
4316	reg.exe
3844	reg.exe
1932	reg.exe
508	reg.exe
4392	reg.exe
3952	reg.exe
3936	reg.exe
5104	reg.exe
2904	reg.exe
852	reg.exe
1856
4640	reg.exe
496	reg.exe
4648	reg.exe
3584	reg.exe
2860	reg.exe
4952	reg.exe
5112	reg.exe
1080	reg.exe
368	reg.exe
1012	reg.exe
4408	reg.exe
3960	reg.exe
1056	reg.exe
3640	reg.exe
5084	reg.exe
168	reg.exe
3804	reg.exe
1008	reg.exe
32	reg.exe
1996	reg.exe
2968	reg.exe
3316	reg.exe
5044	reg.exe
1392	reg.exe
3328	reg.exe
3996	reg.exe
2800	reg.exe
2028	reg.exe
68	reg.exe
484	reg.exe
4520	reg.exe
3980	reg.exe
1380	reg.exe
1308	reg.exe
4532	reg.exe
4620	reg.exe
3612	reg.exe
3924	reg.exe

Runs net.exe
Suspicious behavior: LoadsDriver 26 IoCs

Processes:

pid process

600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600

pid	process
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ggpermV3.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4356	ggpermV3.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeTakeOwnershipPrivilege	2892	svchost.exe
Token: SeLoadDriverPrivilege	2892	svchost.exe
Token: SeSystemtimePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeShutdownPrivilege	2892	svchost.exe
Token: SeSystemEnvironmentPrivilege	2892	svchost.exe
Token: SeUndockPrivilege	2892	svchost.exe
Token: SeManageVolumePrivilege	2892	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeTakeOwnershipPrivilege	2892	svchost.exe
Token: SeLoadDriverPrivilege	2892	svchost.exe
Token: SeSystemtimePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeShutdownPrivilege	2892	svchost.exe
Token: SeSystemEnvironmentPrivilege	2892	svchost.exe
Token: SeUndockPrivilege	2892	svchost.exe
Token: SeManageVolumePrivilege	2892	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeTakeOwnershipPrivilege	2892	svchost.exe
Token: SeLoadDriverPrivilege	2892	svchost.exe
Token: SeSystemtimePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeShutdownPrivilege	2892	svchost.exe
Token: SeSystemEnvironmentPrivilege	2892	svchost.exe
Token: SeUndockPrivilege	2892	svchost.exe
Token: SeManageVolumePrivilege	2892	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeTakeOwnershipPrivilege	2892	svchost.exe
Token: SeLoadDriverPrivilege	2892	svchost.exe
Token: SeSystemtimePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeShutdownPrivilege	2892	svchost.exe
Token: SeSystemEnvironmentPrivilege	2892	svchost.exe
Token: SeUndockPrivilege	2892	svchost.exe
Token: SeManageVolumePrivilege	2892	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe
Token: SeSecurityPrivilege	2892	svchost.exe
Token: SeTakeOwnershipPrivilege	2892	svchost.exe
Token: SeLoadDriverPrivilege	2892	svchost.exe
Token: SeSystemtimePrivilege	2892	svchost.exe
Token: SeBackupPrivilege	2892	svchost.exe
Token: SeRestorePrivilege	2892	svchost.exe
Token: SeShutdownPrivilege	2892	svchost.exe
Token: SeSystemEnvironmentPrivilege	2892	svchost.exe
Token: SeUndockPrivilege	2892	svchost.exe
Token: SeManageVolumePrivilege	2892	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2892	svchost.exe
Token: SeIncreaseQuotaPrivilege	2892	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ggpermV3.execmd.exenet.exe

description	pid	process	target process
PID 4356 wrote to memory of 4436	4356	ggpermV3.exe	sxghr-driver.exe
PID 4356 wrote to memory of 4436	4356	ggpermV3.exe	sxghr-driver.exe
PID 4356 wrote to memory of 2292	4356	ggpermV3.exe	cmd.exe
PID 4356 wrote to memory of 2292	4356	ggpermV3.exe	cmd.exe
PID 4356 wrote to memory of 2292	4356	ggpermV3.exe	cmd.exe
PID 2292 wrote to memory of 4072	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4072	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4952	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4952	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1056	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1056	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4736	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4736	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 3272	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 3272	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4560	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4560	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2884	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2884	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2792	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2792	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2332	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2332	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 5048	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 5048	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4632	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4632	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4696	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4696	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1764	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1764	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4264	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4264	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 3924	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 3924	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1196	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1196	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4120	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4120	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2736	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2736	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4644	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4644	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4604	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4604	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2456	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1816	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1816	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2228	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 2228	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4344	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 4344	2292	cmd.exe	AMIDEWINx64.EXE
PID 2292 wrote to memory of 1536	2292	cmd.exe	net.exe
PID 2292 wrote to memory of 1536	2292	cmd.exe	net.exe
PID 2292 wrote to memory of 1536	2292	cmd.exe	net.exe
PID 1536 wrote to memory of 4748	1536	net.exe	net1.exe
PID 1536 wrote to memory of 4748	1536	net.exe	net1.exe
PID 1536 wrote to memory of 4748	1536	net.exe	net1.exe
PID 2292 wrote to memory of 4548	2292	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\ggpermV3\ggpermV3.exe
"C:\Users\Admin\AppData\Local\Temp\ggpermV3\ggpermV3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BV 4676139183157226453
3⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SV 26087240781387221433
3⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PAT 1250510906650623659
3⤵
PID:2792

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 25200163993602111046494752949131719839 /f
4⤵
- Modifies Internet Explorer settings
PID:3524

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SM 19637131901021330978
3⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BM 21521067692811789
3⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLC 1072751342501228195
3⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CV 2350895115825584
3⤵
PID:4604

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
4⤵
PID:4620

C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SK 3005030311922417352
3⤵
PID:4344

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSK 1946824737933126617
3⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CO 1120631304273298713
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CA 4728116681957929896
3⤵
PID:2456

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CT 291042946145999163
3⤵
PID:4644

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {25200-16399-36021110} /f
4⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CM 2346116864342320736
3⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BT 305662605329624348
3⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BP 32548143132737321911
3⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF 28866923848222578
3⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS 119833701276219503
3⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SP 166239607143567969
3⤵
PID:4696

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:1192

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 25200163993602 /f
5⤵
- Modifies registry key
PID:4696

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IV 1950326131798520855
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PPN 1485528297259723595
3⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SU AUTO
3⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PSN 1480545552333814323
3⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CS 180708231269124439
3⤵
PID:1456

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
4⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS 31757280532443326417
3⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS 326703111188594468
3⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS 2508565294810862
3⤵
PID:4072

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
4⤵
PID:3272

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 2520016399360211104649475294913171983994791925627959 /f
5⤵
- Modifies registry key
PID:3328

C:\Windows\SysWOW64\net.exe
net start winmgmt /y
3⤵
PID:4548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start winmgmt /y
4⤵
PID:2468

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:764

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2488

C:\Windows\SysWOW64\sc.exe
sc start winmgmt
3⤵
- Launches sc.exe
PID:1932

C:\Windows\SysWOW64\sc.exe
sc stop winmgmt
3⤵
- Launches sc.exe
PID:2336

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2488

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:2336

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
3⤵
PID:2076

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\ggpermV3\sxghr-driver.exe
"C:\Users\Admin\AppData\Local\Temp\ggpermV3\sxghr-driver.exe"
2⤵
PID:4436

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25206-5127656316468 /f
3⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe"
2⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
3⤵
PID:2224

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
4⤵
- Kills process with taskkill
PID:2888

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
4⤵
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
PID:212

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
4⤵
- Kills process with taskkill
PID:4540

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
4⤵
PID:744

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25193-27670-642-1851912603 /f
5⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
3⤵
PID:5088

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
4⤵
- Kills process with taskkill
PID:4348

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
5⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
3⤵
PID:1448

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
4⤵
- Modifies registry key
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
3⤵
PID:4244

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
4⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
3⤵
PID:3856

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
4⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
3⤵
PID:4228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
4⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
3⤵
PID:3688

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
4⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
3⤵
PID:3916

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
4⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
3⤵
PID:4424

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
4⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
3⤵
PID:3384

C:\Windows\system32\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
4⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
PID:3844

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
4⤵
- Checks processor information in registry
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4736

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 251901692115546272242289304632015390993072279231970027827 /f
4⤵
- Modifies registry key
PID:3316

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 25193-27670-642-1851912603 /f
5⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:1080

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-25190 /f
4⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:3804

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-25190 /f
4⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
3⤵
PID:1488

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 2519016921-15546-27224-2289 /f
4⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
3⤵
PID:5048

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {25190-16921-%random} /f
4⤵
- Modifies registry key
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2660

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 25190-169211554627224 /f
4⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
3⤵
PID:1452

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 25190-16921 /f
4⤵
- Modifies registry key
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
3⤵
PID:1384

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 25190-16921 /f
4⤵
- Modifies registry key
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1196

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25190-169211554627224 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:5044

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:4000

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25190-16921-15546-272242289} /f
4⤵
- Modifies registry key
PID:4620

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 25193-27670-642-1851912603 /f
5⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:4636

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25190-16921-15546-272242289} /f
4⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:2800

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {25190-16921-15546-272242289} /f
4⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2228

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:4212

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
5⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:5104

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
- Modifies registry key
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4824

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
- Modifies registry key
PID:3936

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:3932

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:816

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25206-5127656316468 /f
6⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:5100

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:2772

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2980

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:764

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2744

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
- Enumerates system info in registry
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:2160

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {25190-16921-15546-272242289} /f
4⤵
PID:3088

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:1156

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
5⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:676

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {25190-16921-15546-272242289} /f
4⤵
PID:2592

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 251932767064218519126031621232666172195842177519552 /f
5⤵
- Modifies registry class
- Modifies registry key
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:4368

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-25190 /f
4⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
3⤵
PID:1932

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 25190 /f
4⤵
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
3⤵
PID:4660

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 25190 /f
4⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:1500

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-25190 /f
4⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:2516

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {2519016921-15546-27224-228930463} /f
4⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:1008

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {2519016921-15546-27224-228930463} /f
4⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
3⤵
PID:1028

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25190 /f
4⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
3⤵
PID:1812

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 25190 /f
4⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
3⤵
PID:4576

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 25190 /f
4⤵
- Modifies registry key
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
3⤵
PID:2968

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 25190-16921-15546-27224 /f
4⤵
- Modifies registry key
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
3⤵
PID:2020

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 2519016921-15546-27224-2289 /f
4⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
3⤵
PID:1568

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2519016921-15546-27224-2289 /f
4⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
3⤵
PID:3944

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 2519016921 /f
4⤵
- Modifies registry key
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
3⤵
PID:3980

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 25190 /f
4⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
3⤵
PID:3404

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 25190 /f
4⤵
PID:3552

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
4⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
3⤵
PID:4408

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2519016921-15546-27224-2289} /f
4⤵
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
3⤵
PID:1036

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
4⤵
- Modifies registry key
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:484

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
PID:4288

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
4⤵
- Modifies registry key
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
PID:2756

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
4⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
PID:3612

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
4⤵
- Modifies registry key
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:4776

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
4⤵
PID:3512

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
5⤵
- Modifies registry key
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:1952

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
4⤵
- Modifies registry key
PID:168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:4520

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
4⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:1296

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
4⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4392

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:3364

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 25190-16921-15546-272242289 /f
4⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
3⤵
PID:3540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
4⤵
- Modifies registry key
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
3⤵
PID:2700

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
4⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
3⤵
PID:3852

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
4⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
PID:4316

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
4⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:3328

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2116

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:2860

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
4⤵
- Modifies registry key
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
3⤵
PID:2796

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
4⤵
- Modifies registry key
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
PID:2332

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
4⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:1012

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 25193276706421851912603162123266617219584217751955227871 /f
4⤵
- Modifies registry class
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:3368

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:4172

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
4⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1424

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:4120

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
4⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
PID:1388

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
4⤵
- Modifies registry key
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2628

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:4636

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25203-271472146725173 /f
5⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
PID:1816

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
4⤵
- Modifies registry key
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
PID:5084

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
4⤵
- Modifies registry key
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:816

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
4⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:2764

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
4⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
PID:3164

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
4⤵
- Modifies registry key
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
PID:3996

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
4⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:3628

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
4⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:780

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 25193276706421851912603162123266617219584217751955227871 /f
4⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4080

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 2519327670642185191260316212326661721958421775 /f
4⤵
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:1288

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 25193276706421851912603162123266617219584217751955227871 /f
4⤵
- Modifies registry key
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:3912

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 25193276706421851912603162123266617219584217751955227871 /f
4⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:400

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 25193276706421851912603162123266617219584 /f
4⤵
- Modifies Internet Explorer settings
- Modifies registry key
PID:364

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 25196-5650-18506-981422918 /f
5⤵
- Modifies registry key
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:404

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 25193276706421851912603162123266617219584 /f
4⤵
PID:1268

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
4⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:1364

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 25193276706421851912603162123266617219584 /f
4⤵
- Modifies registry key
PID:1008

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:2940

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 2519327670642 /f
4⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:1020

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 2519327670642 /f
4⤵
PID:1812

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
5⤵
PID:4256

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:1380

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 2519327670642 /f
4⤵
PID:4576

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:1848

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 2519327670642 /f
4⤵
- Modifies registry key
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
3⤵
PID:2828

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {25193-27670-64218519} /f
4⤵
PID:2020

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
4⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
3⤵
PID:3300

C:\Windows\system32\reg.exe
reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
4⤵
- Checks processor information in registry
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:3960

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 25193276706421851912603162123266617219584217751955227871 /f
4⤵
PID:3500

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
5⤵
PID:3960

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25200-1639936021110 /f
6⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:3380

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-25193 /f
4⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:3560

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-25193 /f
4⤵
PID:876

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%-%random% /f
3⤵
PID:1552

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25193-27670-642-18519-12603 /f
4⤵
- Modifies registry key
PID:368

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
3⤵
PID:1076

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {25193-27670-%random} /f
4⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:5068

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 25193-2767064218519 /f
4⤵
- Modifies registry key
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
3⤵
PID:496

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
4⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
3⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3616

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25193-2767064218519 /f
4⤵
- Enumerates system info in registry
PID:2296

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
5⤵
PID:3660

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
6⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:3064

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25193-27670-642-1851912603} /f
4⤵
- Modifies registry key
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:168

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {25193-27670-642-1851912603} /f
4⤵
PID:1952

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d 25206-5127 /f
5⤵
PID:2888

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
4⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:3516

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {25193-27670-642-1851912603} /f
4⤵
- Modifies registry key
PID:4520

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
5⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1844

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:1296

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
4⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:5088

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1448

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
- Modifies registry key
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4244

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
PID:3364

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
4⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2696

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
- Enumerates system info in registry
PID:4796

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
4⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4452

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 25193-27670-642-1851912603 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:3540

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
4⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:3688

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {25193-27670-642-1851912603} /f
4⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:3916

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {25193-27670-642-1851912603} /f
4⤵
PID:3852

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
4⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:4424

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-25196 /f
4⤵
- Modifies registry key
PID:4316

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
4⤵
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
3⤵
PID:3384

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 25196 /f
4⤵
PID:3328

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
4⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
3⤵
PID:3844

C:\Windows\system32\reg.exe
REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 25196 /f
4⤵
PID:2116

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
5⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
3⤵
PID:4736

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-25196 /f
4⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:1080

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {251965650-18506-9814-229185548} /f
4⤵
PID:2860

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
4⤵
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
3⤵
PID:3804

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {251965650-18506-9814-229185548} /f
4⤵
PID:2796

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
4⤵
PID:4632

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 25200163993602111046494752949131719839 /f
5⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
3⤵
PID:1488

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 25196 /f
4⤵
PID:2332

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
5⤵
PID:4808

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 25200163993602 /f
6⤵
PID:2332

C:\Windows\system32\reg.exe
REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
4⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
3⤵
PID:4532

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 25196 /f
4⤵
- Modifies registry key
PID:1012

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
5⤵
PID:4264

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 25200163993602 /f
6⤵
PID:1012

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
4⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
3⤵
PID:4648

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 25196 /f
4⤵
- Modifies registry key
PID:2904

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
4⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
3⤵
PID:1452

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 251965650-18506-9814-22918 /f
4⤵
PID:1540

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
3⤵
PID:1384

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 251965650 /f
4⤵
PID:4172

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
3⤵
PID:3924

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 25196 /f
4⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
3⤵
PID:4680

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 25196 /f
4⤵
PID:772

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
3⤵
PID:4384

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {251965650-18506-9814-22918} /f
4⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
3⤵
PID:2800

C:\Windows\system32\reg.exe
REG delete HKCU\Software\Epic" "Games /f
4⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2228

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
- Modifies registry key
PID:4212

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
3⤵
PID:5104

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
4⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
3⤵
PID:2776

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
4⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
3⤵
PID:3936

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
4⤵
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
4⤵
- Kills process with taskkill
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
3⤵
PID:2980

C:\Windows\system32\reg.exe
reg delete HKCR\com.epicgames.launcher /f
4⤵
PID:3164

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:3224

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
5⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:764

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
4⤵
PID:3996

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25200-1639936021110 /f
5⤵
PID:3088

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
6⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:1864

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
4⤵
PID:3628

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:3676

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
5⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:1536

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
4⤵
- Modifies registry key
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:676

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
4⤵
PID:2592

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:4368

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
4⤵
PID:4080

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
3⤵
PID:1620

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
4⤵
PID:672

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:3536

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:1932

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
4⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:356

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:2516

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
3⤵
PID:2948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
4⤵
PID:1364

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1028

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1524

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
- Modifies registry key
PID:68

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2132

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
- Modifies registry key
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
3⤵
PID:5016

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
3⤵
PID:3964

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
4⤵
PID:1584

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
5⤵
PID:3956

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25200-1639936021110 /f
6⤵
PID:1568

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
4⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
3⤵
PID:3968

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
4⤵
- Modifies registry key
PID:3584

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
4⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
3⤵
PID:4524

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
4⤵
- Modifies registry key
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
3⤵
PID:3552

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
4⤵
- Modifies registry key
PID:3980

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
3⤵
PID:1716

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
4⤵
- Modifies registry key
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
3⤵
PID:1308

C:\Windows\system32\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
4⤵
- Modifies registry key
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4852

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 2519656501850698142291855482637832453327156271940427915 /f
4⤵
- Modifies registry class
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:1996

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
- Modifies registry key
PID:484

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
4⤵
PID:3532

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
5⤵
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:5108

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:4288

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 25206-5127 /f
4⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:4640

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:5060

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
4⤵
PID:4104

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d 25206-5127 /f
5⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
3⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
3⤵
PID:376

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 25196-5650-18506-981422918 /f
4⤵
PID:216

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
4⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
3⤵
PID:224

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
4⤵
PID:2888

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25206-5127 /f
4⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
3⤵
PID:1556

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
4⤵
PID:3824

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
5⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:3324

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
4⤵
- Modifies registry key
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
3⤵
PID:4832

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
4⤵
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
3⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
3⤵
PID:1152

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History /f
4⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
3⤵
PID:380

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
4⤵
PID:2668

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
4⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
3⤵
PID:3700

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
4⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:3508

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2520016399360211104649475294913171983994791925627959 /f
4⤵
PID:2452

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
4⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4320

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 25200163993602111046494752949131719839947919256 /f
4⤵
- Modifies registry class
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4236

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 252001639936021110464947529491317198399479 /f
4⤵
- Modifies registry key
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1032

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2800

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:364

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1040

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2132

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2752

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:1448

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
4⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:4320

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
4⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
3⤵
PID:3924

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
4⤵
PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
3⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
3⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
3⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
3⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
3⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:1772

C:\Windows\system32\reg.exe
REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 2520016399360211104649475294913171983994791925627959 /f
4⤵
- Modifies registry key
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:1996

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d 25206-5127 /f
4⤵
- Enumerates system info in registry
- Modifies registry key
PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:1044

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 25206-5127 /f
4⤵
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
3⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
3⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
3⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1620

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:772

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
3⤵
PID:4172

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
4⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:4524

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
4⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:1528

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
4⤵
PID:3516

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
5⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
3⤵
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
3⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
3⤵
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
3⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
3⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
3⤵
PID:4880

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
3⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
3⤵
PID:1156

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:780

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
3⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
3⤵
PID:3088

C:\Windows\system32\taskkill.exe
taskkill /f /im OneDrive.exe
4⤵
- Kills process with taskkill
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
3⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
3⤵
PID:4868

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25200-1639936021110 /f
4⤵
PID:2764

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25206-5127656316468 /f
5⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
3⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
3⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
3⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
3⤵
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
3⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:1312

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 25206-5127 /f
4⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
3⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
3⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
3⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
3⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
3⤵
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
3⤵
PID:3660

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d 25206-5127 /f
4⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
3⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
3⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
3⤵
PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
3⤵
PID:352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2108

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:800

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4128

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
3⤵
PID:5088

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
4⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2456

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
3⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
3⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
3⤵
PID:3856

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
4⤵
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2608

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4856

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2152

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3540

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1432

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4316

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4736

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4300

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2884

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:5048

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2660

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1012

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4696

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4644

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25203-271472146725173 /f
4⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
- Checks system information in the registry
PID:2228

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1380

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1568

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 25206-5127656316468 /f
4⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d %random%-%random% /f
3⤵
PID:1556

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d 25206-5127 /f
4⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
3⤵
PID:2356

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 25206-5127 /f
4⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
3⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random%-%random% /f
3⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
3⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d %random%-%random% /f
3⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
3⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random% /f
3⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d %random%-%random% /f
3⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d %random%-%random% /f
3⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d %random%-%random% /f
3⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random% /f
3⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random% /f
3⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
3⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:2668

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:4452

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:4888

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
3⤵
PID:4236

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 25206-5127 /f
4⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
3⤵
PID:4424

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 25206-5127 /f
4⤵
- Modifies registry key
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:3272

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:4560

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
- Modifies registry key
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
3⤵
PID:4396

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 25206-5127 /f
4⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:4960

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete HTTPDebuggerPro >nul 2>&1
3⤵
PID:4036

C:\Windows\system32\sc.exe
sc delete HTTPDebuggerPro
4⤵
- Launches sc.exe
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&1
3⤵
PID:2884

C:\Windows\system32\sc.exe
sc stop BEService
4⤵
- Launches sc.exe
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete BEService >nul 2>&1
3⤵
PID:5048

C:\Windows\system32\sc.exe
sc delete BEService
4⤵
- Launches sc.exe
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&1
3⤵
PID:1764

C:\Windows\system32\sc.exe
sc stop BEDaisy
4⤵
- Launches sc.exe
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete BEDaisy >nul 2>&1
3⤵
PID:4456

C:\Windows\system32\sc.exe
sc delete BEDaisy
4⤵
- Launches sc.exe
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&1
3⤵
PID:3524

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
4⤵
- Launches sc.exe
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&1
3⤵
PID:4120

C:\Windows\system32\sc.exe
sc stop EasyAntiCheatSys
4⤵
- Launches sc.exe
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat >nul 2>&1
3⤵
PID:344

C:\Windows\system32\sc.exe
sc delete EasyAntiCheat
4⤵
- Launches sc.exe
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheatSys >nul 2>&1
3⤵
PID:2716

C:\Windows\system32\sc.exe
sc delete EasyAntiCheatSys
4⤵
- Launches sc.exe
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\Capcom.sys 2>&1
3⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM del /f %temp%* 2>&1
3⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM D:\steam\depotcache\* 2>&1
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe 2>&1
3⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys 2>&1
3⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32\Capcom.sys 2>&1
3⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\KsDumperDriver.sys 2>&1
3⤵
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32KsDumperDriver.sys 2>&1
3⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
3⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
3⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
3⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
3⤵
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
3⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
3⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
3⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
3⤵
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
3⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
3⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
3⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
3⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
3⤵
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
3⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
3⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
3⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
3⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
3⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
3⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
3⤵
- Drops file in Windows directory
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
3⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
3⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
3⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
3⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
3⤵
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
3⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
3⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
3⤵
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
3⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
3⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
3⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
3⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
3⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
3⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
3⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
3⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
3⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
3⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
3⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
3⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
3⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
3⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
3⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
3⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
3⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
3⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
3⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
3⤵
PID:168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
3⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
3⤵
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
3⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
3⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
3⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
3⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
3⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
3⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
3⤵
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
3⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
3⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
3⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
3⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
3⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
3⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
3⤵
PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
3⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
3⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
3⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
3⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
3⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
3⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
3⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
3⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
3⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
3⤵
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
3⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
3⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
3⤵
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
3⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
3⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
3⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
3⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
3⤵
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
3⤵
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
3⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
3⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
3⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
3⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
3⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
3⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
3⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
3⤵
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
3⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
3⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
3⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
3⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
3⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
3⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
3⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
3⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
3⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows.old\Users\All Users\Microsoft\Windows\WER\Temp\WER6D21.tmp.WERInternalMetadata.xml
3⤵
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\AgRobust.db
3⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
3⤵
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\OBS-FFMPEG-MUX.EXE-1C01271A.pf
3⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
3⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
3⤵
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
3⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
3⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
3⤵
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
3⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
3⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
3⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
3⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggpermV3\Final_Cleaner.bat" "
2⤵
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
PID:2756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
3⤵
- Kills process with taskkill
PID:3612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im FortniteLauncher.exe
3⤵
- Kills process with taskkill
PID:4776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
3⤵
- Kills process with taskkill
PID:1952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
1⤵
PID:4748

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25206-5127656316468 /f
2⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 25190-16921-15546-272242289 /f
1⤵
PID:2696

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 25193-27670-642-1851912603 /f
1⤵
- Modifies registry key
PID:4648

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 25193-27670 /f
1⤵
PID:1936

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 25193-27670 /f
1⤵
- Modifies registry key
PID:2028

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
2⤵
PID:5060

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\MountedDevices /f
1⤵
- Modifies registry key
PID:3060

C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 25196-5650-18506-981422918 /f
1⤵
PID:4776

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
1⤵
- Modifies registry key
PID:3640

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
2⤵
PID:3904

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
1⤵
PID:3816

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:3628

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
2⤵
PID:4820

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1780

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
1⤵
PID:4528

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
2⤵
PID:3612

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
1⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
1⤵
PID:2700

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:2536

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
1⤵
PID:3408

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
1⤵
PID:2860

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
1⤵
PID:1056

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
1⤵
PID:2664

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
1⤵
PID:3048

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
1⤵
PID:4392

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
1⤵
PID:4540

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
2⤵
PID:4220

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
1⤵
PID:2912

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
1⤵
PID:1076

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
1⤵
PID:4408

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:3972

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:2944

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
1⤵
PID:4560

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
1⤵
PID:2512

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
1⤵
PID:672

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
1⤵
PID:3640

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
1⤵
PID:32

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
1⤵
PID:1036

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
1⤵
PID:368

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
1⤵
PID:876

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
1⤵
PID:4032

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
1⤵
PID:68

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
1⤵
PID:2948

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
1⤵
PID:400

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
1⤵
PID:4080

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
1⤵
PID:5100

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
1⤵
PID:4676

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
1⤵
PID:2228

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
1⤵
PID:1880

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
1⤵
PID:2628

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
1⤵
PID:3364

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
1⤵
PID:2872

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
1⤵
PID:4348

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
1⤵
PID:1528

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
1⤵
PID:2296

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
1⤵
PID:5072

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
1⤵
PID:368

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
1⤵
PID:876

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:2020

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:4576

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:4256

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1092

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1500

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1932

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:672

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1860

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:3164

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:5084

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:3648

C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
2⤵
- Kills process with taskkill
PID:2772

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:1816

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:2628

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 25200-1639936021110 /f
1⤵
PID:4620

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 25200163993602 /f
1⤵
PID:1540

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 25200163993602111046494752949131719839 /f
1⤵
- Modifies registry key
PID:2860

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
1⤵
PID:1316

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 25206-5127 /f
1⤵
PID:212

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 25206-5127 /f
1⤵
- Enumerates system info in registry
PID:508

C:\Windows\system32\reg.exe
REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 25206-5127 /f
1⤵
- Enumerates system info in registry
PID:4700

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 25206-5127656316468 /f
1⤵
PID:4552

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 25206-5127656316468 /f
1⤵
PID:1284

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 25206-5127656316468 /f
1⤵
PID:824

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 25206-5127656316468 /f
1⤵
PID:2488

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 25206-5127656316468 /f
1⤵
PID:5100

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 25203-271472146725173 /f
1⤵
PID:3756

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
- Launches sc.exe
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

4

System Information Discovery

6

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

3

T1490

Data Destruction

T1485

Service Stop