c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
53s
max time network
54s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/02/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ggpermV3/Trinity Cleaner.exe
Size

752KB
MD5

5ff39c44ff3eaf7798bffa670fb4b600
SHA1

cd22cc93964fdeb470460642c44fd4ce31f3bf1e
SHA256

fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429
SHA512

6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878
SSDEEP

12288:FBTyBtZmiNYQtIFc5oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JP:eBtZicIFc5oiJfJulj1CBMeIFjKuQdGP

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2796	Process not Found

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2548	Process not Found

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trinity Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 4a000000	Trinity Cleaner.exe

Executes dropped EXE 1 IoCs

pid	Process
1100	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\BITS\0407\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0C0A\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ndisuio.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0407\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\ESENT\0000\esentprf.ini	Process not Found
File opened for modification	C:\Windows\INF\usbhub\0000\usbperf.ini	Process not Found
File opened for modification	C:\Windows\INF\NETDAT~1\0C0A\_DataOracleClientPerfCounters_shared12_neutral_D.ini	Process not Found
File opened for modification	C:\Windows\INF\NETDAT~1\0409\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\040C\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0C0A\esentprf.ini	Process not Found
File opened for modification	C:\Windows\INF\REMOTE~1\0407\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0000\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\fr-FR\netavpnt.inf_loc	Process not Found
File opened for modification	C:\Windows\INF\ESENT\0410\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0410\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\0000\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\usbhub\040C\usbperf.ini	Process not Found
File opened for modification	C:\Windows\INF\REMOTE~1\040C\rasctrs.ini	Process not Found
File opened for modification	C:\Windows\INF\UGATHE~1\040C\gsrvctr.ini	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\0000\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\NETDAT~1\0000\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0411\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0000\ReadyBoostPerfCounters.ini	Process not Found
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.ini	Process not Found
File opened for modification	C:\Windows\INF\NETFRA~1\0407\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\040C\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0000\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\040C\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\msdtcprf.h	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\WINDOW~1.0\0409\PerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\ESENT\esentprf.hxx	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\040C\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\usbhub\0407\usbperf.ini	Process not Found
File opened for modification	C:\Windows\INF\NETDAT~1\0C0A\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0407\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\040C\gsrvctr.ini	Process not Found
File opened for modification	C:\Windows\INF\netbrdgs.inf	Process not Found
File opened for modification	C:\Windows\INF\MSDTC\0409\msdtcprf.ini	Process not Found
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0000\_TransactionBridgePerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\NETCLR~1\0409\_DataPerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelServicePerfCounters_D.ini	Process not Found
File opened for modification	C:\Windows\INF\usbhub\usbperfsym.h	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\040C\idxcntrs.ini	Process not Found
File opened for modification	C:\Windows\INF\REMOTE~1\rasctrnm.h	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0407\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0410\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0000\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0C0A\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltbase.inf	cmd.exe
File opened for modification	C:\Windows\INF\it-IT\netavpnt.inf_loc	Process not Found
File opened for modification	C:\Windows\INF\ESENT\0000\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0410\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\040C\gthrctr.ini	Process not Found
File opened for modification	C:\Windows\INF\wfplwf.inf	Process not Found
File opened for modification	C:\Windows\INF\rdyboost\0C0A\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\040C\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0410\esentprf.ini	Process not Found
File opened for modification	C:\Windows\INF\usbhub\0C0A\usbperf.ini	Process not Found
File opened for modification	C:\Windows\INF\netvwififlt.inf	Process not Found
File opened for modification	C:\Windows\INF\NETFRA~1\corperfmonsymbols.ini	cmd.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1772	sc.exe
2096	sc.exe
1476	sc.exe
1468	sc.exe
2444	sc.exe
932	sc.exe
1948	sc.exe
2436	sc.exe
2468	sc.exe
872	sc.exe
2204	sc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "26745-8414"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Trinity Cleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "26742-304333069624814"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "/ve"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "26745-8414"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "26716-9982-18854-289163177"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "26745-8414"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "26723-31479-21815-1150623806"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "J"	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "/ve"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU = "26745-8414"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "26723-314792181511506"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "26745-8414"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = ":"	Trinity Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "26745-8414"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "J"	Trinity Cleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "26716-99821885428916"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "26745-8414"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily = "26745-8414"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "26742-304333069624814"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion = "26745-8414"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "26745-8414"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Trinity Cleaner.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "/ve"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer = "26742-304333069624814"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	reg.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2620	Process not Found
2852	Process not Found
2640	Process not Found

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1208	Process not Found

Kills process with taskkill 6 IoCs

evasion

pid	Process
2644	taskkill.exe
2796	taskkill.exe
2560	taskkill.exe
2228	taskkill.exe
540	taskkill.exe
588	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 02672331479218151150623806999831351273607015	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 02672920208247752686511667178514808215067270	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Installer	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Installer\Dependencies\MSICache = 026723314792181511506238069998313512736070153263716747	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Installer\Dependencies	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Installer\Dependencies\MSICache = 026729202082477526865116671785148082150672702034116451	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\ClsidStore = 02671920730395020211134916071282393028723271601816895849	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Installer\Dependencies	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Interface\ClsidStore = 26729202082477526865116671785148082150672702034116451981	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
916	reg.exe
872	reg.exe
1740	reg.exe
2204	reg.exe
2640	reg.exe
2608	reg.exe
2904	reg.exe
1424	reg.exe
1380	reg.exe
1288	reg.exe
1220	reg.exe
1688	reg.exe
2620	reg.exe
2580	reg.exe
2572	reg.exe
1156	reg.exe
2628	reg.exe
2604	reg.exe
1816	reg.exe
2600	reg.exe
2584	reg.exe
1268	reg.exe
1920	reg.exe
1012	reg.exe
2460	reg.exe
776	reg.exe
3048	reg.exe
2620	reg.exe
2476	reg.exe
1460	reg.exe
2704	reg.exe
1028	reg.exe
1280	reg.exe
2176	reg.exe
2100	reg.exe
1816	reg.exe
1228	reg.exe
2964	reg.exe
1236	reg.exe
776	reg.exe
2292	reg.exe
276	reg.exe
2936	reg.exe
3060	reg.exe
2168	reg.exe
1016	reg.exe
652	reg.exe
1488	reg.exe
1056	reg.exe
1296	reg.exe
2408	reg.exe
404	reg.exe
2104	reg.exe
276	reg.exe
2964	reg.exe
1648	reg.exe
1572	reg.exe
2136	reg.exe
1448	reg.exe
1888	reg.exe
540	reg.exe
604	reg.exe
2188	reg.exe
1588	reg.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeBackupPrivilege	3048	Process not Found
Token: SeRestorePrivilege	3048	Process not Found
Token: SeAuditPrivilege	3048	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeRemoteShutdownPrivilege	2708	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2840	2500	Trinity Cleaner.exe	29
PID 2500 wrote to memory of 2840	2500	Trinity Cleaner.exe	29
PID 2500 wrote to memory of 2840	2500	Trinity Cleaner.exe	29
PID 2840 wrote to memory of 2644	2840	cmd.exe	30
PID 2840 wrote to memory of 2644	2840	cmd.exe	30
PID 2840 wrote to memory of 2644	2840	cmd.exe	30
PID 2500 wrote to memory of 2800	2500	Trinity Cleaner.exe	32
PID 2500 wrote to memory of 2800	2500	Trinity Cleaner.exe	32
PID 2500 wrote to memory of 2800	2500	Trinity Cleaner.exe	32
PID 2800 wrote to memory of 2796	2800	cmd.exe	33
PID 2800 wrote to memory of 2796	2800	cmd.exe	33
PID 2800 wrote to memory of 2796	2800	cmd.exe	33
PID 2500 wrote to memory of 2672	2500	Trinity Cleaner.exe	34
PID 2500 wrote to memory of 2672	2500	Trinity Cleaner.exe	34
PID 2500 wrote to memory of 2672	2500	Trinity Cleaner.exe	34
PID 2672 wrote to memory of 2560	2672	cmd.exe	35
PID 2672 wrote to memory of 2560	2672	cmd.exe	35
PID 2672 wrote to memory of 2560	2672	cmd.exe	35
PID 2500 wrote to memory of 2708	2500	Trinity Cleaner.exe	36
PID 2500 wrote to memory of 2708	2500	Trinity Cleaner.exe	36
PID 2500 wrote to memory of 2708	2500	Trinity Cleaner.exe	36
PID 2708 wrote to memory of 2384	2708	cmd.exe	37
PID 2708 wrote to memory of 2384	2708	cmd.exe	37
PID 2708 wrote to memory of 2384	2708	cmd.exe	37
PID 2500 wrote to memory of 2820	2500	Trinity Cleaner.exe	38
PID 2500 wrote to memory of 2820	2500	Trinity Cleaner.exe	38
PID 2500 wrote to memory of 2820	2500	Trinity Cleaner.exe	38
PID 2820 wrote to memory of 2580	2820	cmd.exe	39
PID 2820 wrote to memory of 2580	2820	cmd.exe	39
PID 2820 wrote to memory of 2580	2820	cmd.exe	39
PID 2500 wrote to memory of 2772	2500	Trinity Cleaner.exe	40
PID 2500 wrote to memory of 2772	2500	Trinity Cleaner.exe	40
PID 2500 wrote to memory of 2772	2500	Trinity Cleaner.exe	40
PID 2772 wrote to memory of 2728	2772	cmd.exe	41
PID 2772 wrote to memory of 2728	2772	cmd.exe	41
PID 2772 wrote to memory of 2728	2772	cmd.exe	41
PID 2500 wrote to memory of 3012	2500	Trinity Cleaner.exe	42
PID 2500 wrote to memory of 3012	2500	Trinity Cleaner.exe	42
PID 2500 wrote to memory of 3012	2500	Trinity Cleaner.exe	42
PID 3012 wrote to memory of 2684	3012	cmd.exe	43
PID 3012 wrote to memory of 2684	3012	cmd.exe	43
PID 3012 wrote to memory of 2684	3012	cmd.exe	43
PID 2500 wrote to memory of 2712	2500	Trinity Cleaner.exe	44
PID 2500 wrote to memory of 2712	2500	Trinity Cleaner.exe	44
PID 2500 wrote to memory of 2712	2500	Trinity Cleaner.exe	44
PID 2712 wrote to memory of 2660	2712	cmd.exe	45
PID 2712 wrote to memory of 2660	2712	cmd.exe	45
PID 2712 wrote to memory of 2660	2712	cmd.exe	45
PID 2500 wrote to memory of 1564	2500	Trinity Cleaner.exe	46
PID 2500 wrote to memory of 1564	2500	Trinity Cleaner.exe	46
PID 2500 wrote to memory of 1564	2500	Trinity Cleaner.exe	46
PID 1564 wrote to memory of 2812	1564	cmd.exe	47
PID 1564 wrote to memory of 2812	1564	cmd.exe	47
PID 1564 wrote to memory of 2812	1564	cmd.exe	47
PID 2500 wrote to memory of 2552	2500	Trinity Cleaner.exe	48
PID 2500 wrote to memory of 2552	2500	Trinity Cleaner.exe	48
PID 2500 wrote to memory of 2552	2500	Trinity Cleaner.exe	48
PID 2552 wrote to memory of 2548	2552	cmd.exe	49
PID 2552 wrote to memory of 2548	2552	cmd.exe	49
PID 2552 wrote to memory of 2548	2552	cmd.exe	49
PID 2500 wrote to memory of 2568	2500	Trinity Cleaner.exe	50
PID 2500 wrote to memory of 2568	2500	Trinity Cleaner.exe	50
PID 2500 wrote to memory of 2568	2500	Trinity Cleaner.exe	50
PID 2568 wrote to memory of 2584	2568	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe"
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
  - - C:\Windows\system32\reg.exe
      REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 26723314792181511506238069998313512736070153263716747893 /f
      4⤵
      PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat /f
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat /f
    3⤵
    - Modifies registry key
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Services\BEService /f
    3⤵
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\ACR06A7 /f
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\ControlSet001\Enum\DISPLAY\PHLC0B1 /f
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration /f
    3⤵
    PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity /f
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:2616
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2671699821885428916317721442512644767591216617043805 /f
    3⤵
    - Modifies registry key
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-26716 /f
    3⤵
    - Modifies registry key
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2284
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-26716 /f
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 267169982-18854-28916-3177 /f
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {26716-9982-%random} /f
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1224
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 26716-99821885428916 /f
    3⤵
    PID:1056
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2528
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 26716-9982 /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 26716-9982 /f
    3⤵
    - Modifies registry key
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 26716-99821885428916 /f
    3⤵
    - Enumerates system info in registry
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {26716-9982-18854-289163177} /f
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {26716-9982-18854-289163177} /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:348
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {26716-9982-18854-289163177} /f
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2592
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    - Modifies registry key
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    - Modifies registry key
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2276
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 26716-9982-18854-289163177 /f
    3⤵
    - Enumerates system info in registry
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {26716-9982-18854-289163177} /f
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:500
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {26716-9982-18854-289163177} /f
    3⤵
    - Modifies registry key
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1768
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-26716 /f
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 26716 /f
    3⤵
    - Modifies registry key
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 26716 /f
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-26716 /f
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {267169982-18854-28916-31772144} /f
    3⤵
    - Modifies registry key
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {267169982-18854-28916-31772144} /f
    3⤵
    - Modifies registry key
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:1372
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26716 /f
    3⤵
    - Modifies registry key
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:1212
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 26716 /f
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:2184
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 26716 /f
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 26716-9982-18854-28916 /f
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:2220
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 267169982-18854-28916-3177 /f
    3⤵
    - Modifies registry key
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 2671920730-3950-20211-13491 /f
    3⤵
    - Modifies registry key
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 2671920730 /f
    3⤵
    - Modifies registry key
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:1764
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 26719 /f
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 26719 /f
    3⤵
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {2671920730-3950-20211-13491} /f
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:384
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:604
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:488
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:908
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:596
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:1424
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:2900
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:1728
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1164
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
  2⤵
  PID:2400
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v RegistersData /f
    3⤵
    - Modifies registry key
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
  2⤵
  PID:452
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v BiosData /f
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v AcpiData /f
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:1320
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:340
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:376
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 26729-20208-24775-2686511667 /f
    3⤵
    - Modifies registry key
    PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 2671920730395020211134916071282393028723271601816895849 /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:968
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:624
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2240
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    - Modifies registry key
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2056
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 26719-20730-3950-2021113491 /f
    3⤵
    - Modifies registry key
    PID:2292
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:2948
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1732
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 26723314792181511506238069998313512736070153263716747893 /f
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3040
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 26723314792181511506238069998313512736070153263716747 /f
    3⤵
    - Modifies registry class
    PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1548
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 267233147921815115062380699983135127360701532637 /f
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2080
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 26723314792181511506238069998313512736070153263716747893 /f
    3⤵
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2672331479218151150623806999831351273607015 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2896
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2672331479218151150623806999831351273607015 /f
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2832
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2672331479218151150623806999831351273607015 /f
    3⤵
    - Modifies registry key
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2396
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 267233147921815 /f
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 267233147921815 /f
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 267233147921815 /f
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2576
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 267233147921815 /f
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:2824
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {26723-31479-2181511506} /f
    3⤵
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2720
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 26723314792181511506238069998313512736070153263716747893 /f
    3⤵
    - Modifies registry key
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2564
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-26723 /f
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2596
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-26723 /f
    3⤵
    - Modifies registry key
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%-%random% /f
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 26723-31479-21815-11506-23806 /f
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {%random%-%random%-%random} /f
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {26723-31479-%random} /f
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 26723-314792181511506 /f
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2364
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 26723-31479 /f
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:808
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 26723-31479 /f
    3⤵
    - Modifies registry key
    PID:2104
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26729-202082477526865 /f
      4⤵
      PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 26723-314792181511506 /f
    3⤵
    - Enumerates system info in registry
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {26723-31479-21815-1150623806} /f
    3⤵
    - Modifies registry key
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {26723-31479-21815-1150623806} /f
    3⤵
    - Modifies registry key
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2780
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {26723-31479-21815-1150623806} /f
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2724
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2868
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    - Enumerates system info in registry
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 26723-31479-21815-1150623806 /f
    3⤵
    - Enumerates system info in registry
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {26723-31479-21815-1150623806} /f
    3⤵
    - Modifies registry key
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {26723-31479-21815-1150623806} /f
    3⤵
    - Modifies registry key
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-26723 /f
    3⤵
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:2472
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 26726 /f
    3⤵
    PID:1904
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
      4⤵
      PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 26726 /f
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-26726 /f
    3⤵
    - Modifies registry key
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {267269459-6911-2802-135213925} /f
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2096
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {267269459-6911-2802-135213925} /f
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:2448
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 26726 /f
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 26726 /f
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 26726 /f
    3⤵
    - Modifies registry key
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 267269459-6911-2802-1352 /f
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f
  2⤵
  PID:1256
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 267269459 /f
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:2192
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 26726 /f
    3⤵
    - Modifies registry key
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 26726 /f
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%random%%random%-%random%-%random%-%random%} /f
  2⤵
  PID:2020
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {267269459-6911-2802-1352} /f
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:2216
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:2536
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:588
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:580
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:652
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    - Modifies registry key
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:332
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 26726-9459-6911-28021352 /f
    3⤵
    - Modifies registry key
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:2508
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:2328
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:2332
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:412
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1320
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 26729202082477526865116671785148082150672702034116451981 /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 26729-20208-24775-2686511667 /f
    3⤵
    - Modifies registry key
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:340
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 26729-20208-24775-2686511667 /f
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 26729-20208-24775-2686511667 /f
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:472
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:376
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 26729-20208-24775-2686511667 /f
    3⤵
    - Modifies registry key
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:624
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:2240
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 26729202082477526865116671785148082150672702034116451981 /f
    3⤵
    - Modifies registry key
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 26729202082477526865116671785148082150672702034116451 /f
    3⤵
    - Modifies registry class
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:292
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 267292020824775268651166717851480821506727020341 /f
    3⤵
    - Modifies registry key
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2948
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 26729202082477526865116671785148082150672702034116451981 /f
    3⤵
    - Modifies registry key
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 26729202082477526865116671785148082150672702034116451981 /f
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2672920208247752686511667178514808215067270 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2672920208247752686511667178514808215067270 /f
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1732
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2672920208247752686511667178514808215067270 /f
    3⤵
    PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 267292020824775 /f
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 267292020824775 /f
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 267292020824775 /f
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 267292020824775 /f
    3⤵
    - Modifies registry key
    PID:2704
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {26729-20208-2477526865} /f
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2672
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2820
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2624
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26729-202082477526865 /f
    3⤵
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1380
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2860
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2944
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1220
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1020
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1740
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2464
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:2456
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:2828
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:1256
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2192
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2020
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2216
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:2536
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:588
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:580
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:652
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:332
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26732-30956987118160 /f
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2508
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2400
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:452
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3064
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1336
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2148
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1352
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:976
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:704
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26736-8936277359456 /f
    3⤵
    PID:600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:2116
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2892
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1240
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:692
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:1732
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:2080
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:2644
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2896
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2832
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2396
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:3012
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:2712
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:2552
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:2616
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
  2⤵
  PID:2284
- - C:\Windows\system32\reg.exe
    REG ADD HKU\S-1-5-21-1890030585-3173979648-977140667-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\0\0\0 /f
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:2528
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver /v PropertyGuid /t REG_SZ /d {%Hex8%-%Hex1%-%Hex0%-%Hex1%-%Hex10%} /f
  2⤵
  PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    - Enumerates system info in registry
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:348
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2592
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:1736
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d /ve /f
    3⤵
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
  2⤵
  PID:2472
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d /ve /f
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d /ve /f
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d /ve /f
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
  2⤵
  PID:2444
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d /ve /f
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:1296
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2432
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:1284
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:1712
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:2208
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:2168
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d /ve /f
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d /ve /f
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d /ve /f
    3⤵
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
  2⤵
  PID:588
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d /ve /f
    3⤵
    PID:488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OneDrive.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d /ve /f
    3⤵
    PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d /ve /f
    3⤵
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d /ve /f
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
  2⤵
  PID:580
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d /ve /f
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
  2⤵
  PID:652
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d /ve /f
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d /ve /f
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d /ve /f
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
  2⤵
  PID:332
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d /ve /f
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    - Enumerates system info in registry
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    - Enumerates system info in registry
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    - Enumerates system info in registry
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2508
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation /v SystemProductName /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2400
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:452
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation /v SystemProductName /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:3064
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v SystemProductName /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current /v BaseBoardManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1336
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v SystemProductName /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f} /v BaseBoardManufacturer /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2148
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1352
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {037bf8fa-5b18-50b2-ba13-2580426ff357} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:976
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {5c8c5d29-b5ed-5229-a26c-e661b1e1129b} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:704
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {f2461683-1fa0-5629-b022-d0ffaee63ed0} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2932
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:292
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2948
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2844
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2636
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:1660
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2792
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {41417485-85de-59b6-a9fa-e7f706b1d992} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {ca09ac19-a9a0-5236-a0f6-ce81dcc46d9a} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {81287c07-f962-5bac-a75b-e98c2c8f5f93} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a0a97217-b3b7-58c7-a1fd-1a9295288031} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {28c62655-d5a5-58ee-9dae-4c1d2c09f9ef} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {67b72407-d583-525b-9f54-cc0f8ee0552e} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2672
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {a4d0f078-0772-5228-a37a-db55fdb8ee04} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {21a4c841-f6fc-5651-8cde-435c9effc378} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2820
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {cd0c55c7-a3ae-55b4-add7-578cdc06511f} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {feb9c5fe-1cdf-59a8-8008-550892c61c37} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {6ef3fe51-9106-55cf-a553-f5d21bb78cc3} /t REG_SZ /d 26742-304333069624814 /f
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d %random%-%random%%random%%random% /f
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\{a0408a6a-546c-11ea-af4e-4df901723b0f}\ComputerIds /v {7b3e1573-c771-5dbd-b795-f8344771349d} /t REG_SZ /d 26745-84141579216110 /f
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardManufacturer /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardVersion /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2616
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BIOSVersion /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemFamily /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2284
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemVersion /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1224
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemProductName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2528
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Modifies registry key
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Modifies registry key
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:348
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:2592
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v HostName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Modifies registry key
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1736
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV HostName /t REG_SZ /d 26745-8414 /f
    3⤵
    - Modifies registry key
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{146337E2-B748-4468-AC39-FCBBA2D507EC} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{34E2F73D-D367-4931-8A5F-FB72BBE02BCB} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    - Modifies registry key
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d %random%-%random% /f
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8B66020F-34DF-4179-BC45-E6419E7905AD} /v Hostname /t REG_SZ /d 26745-8414 /f
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1832
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:500
- - C:\Windows\system32\sc.exe
    sc delete HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&1
  2⤵
  PID:2464
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete BEService >nul 2>&1
  2⤵
  PID:2476
- - C:\Windows\system32\sc.exe
    sc delete BEService
    3⤵
    - Launches sc.exe
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&1
  2⤵
  PID:2316
- - C:\Windows\system32\sc.exe
    sc stop BEDaisy
    3⤵
    - Launches sc.exe
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete BEDaisy >nul 2>&1
  2⤵
  PID:1332
- - C:\Windows\system32\sc.exe
    sc delete BEDaisy
    3⤵
    - Launches sc.exe
    PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&1
  2⤵
  PID:1036
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&1
  2⤵
  PID:1288
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat >nul 2>&1
  2⤵
  PID:2432
- - C:\Windows\system32\sc.exe
    sc delete EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheatSys >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\system32\sc.exe
    sc delete EasyAntiCheatSys
    3⤵
    - Launches sc.exe
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2184
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\Capcom.sys 2>&1
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM del /f %temp%* 2>&1
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM D:\steam\depotcache\* 2>&1
  2⤵
  PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe 2>&1
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.sys 2>&1
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\KsDumperDriver.sys 2>&1
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32\Capcom.sys 2>&1
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /IM C:\Windows\System32KsDumperDriver.sys 2>&1
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
  2⤵
  PID:2764
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
  2⤵
  PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
  2⤵
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
  2⤵
  PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
  2⤵
  PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
  2⤵
  PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
  2⤵
  PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Temp
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\V0100024.log
  2⤵
  PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
  2⤵
  PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\All Users\Microsoft\Windows\WER\Temp\WER5CC2.tmp.xml
  2⤵
  PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows.old\Users\All Users\Microsoft\Windows\WER\Temp\WER6D21.tmp.WERInternalMetadata.xml
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Temp\ecache.bin
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\CrashDumps\BACKGR~2.DMP
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\ATTRIB.EXE-58A07CAF.pf
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\AgRobust.db
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CEPHTMLENGINE.EXE-E15640BA.pf
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CMD.EXE-0BD30981.pf
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\CLIPUP.EXE-4C5C7B66.pf
  2⤵
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\D3D9TEST.EXE-1B86F3FC.pf
  2⤵
  PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\GET-GRAPHICS-OFFSETS64.EXE-2BCB2EA4.pf
  2⤵
  PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\GET-GRAPHICS-OFFSETS32.EXE-D4C865E3.pf
  2⤵
  PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\OBS-FFMPEG-MUX.EXE-1C01271A.pf
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\prefetch\OBS-FFMPEG-MUX.EXE-1C01271A.pf
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s %systemdrive%\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s e:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s d:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /q /s f:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:2192

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 26719-20730-3950-2021113491 /f
1⤵
- Modifies registry key
PID:2408

C:\Windows\system32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ggpermV3\Trinity Cleaner.exe

Filesize
752KB

MD5
5ff39c44ff3eaf7798bffa670fb4b600

SHA1
cd22cc93964fdeb470460642c44fd4ce31f3bf1e

SHA256
fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429

SHA512
6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878

Download Submit
memory/812-2-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads