561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43

Resubmissions

14-06-2024 13:54

240614-q7y8nstbpf 7

14-06-2024 13:52

240614-q6wq6axbnp 7

Analysis

max time kernel
5s
max time network
0s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite-Cleaner.exe
Size

426KB
MD5

a158fb5bce9e7f3adf129939d25f96df
SHA1

28adc37dee6605dc90e521fdc1c3d8c9fee2eab1
SHA256

561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43
SHA512

5b2272fe5ec5a3fd3fd2dc0684817b7b917c81b8bbe0d50513acbd15c04e0a954d55fdf2632848f98004e4dd1eaf9c0475688ebceb97936d742338dd5a3198c5
SSDEEP

12288:G6R/iFHrLFmA/nsZIf2AKV1Biu5xgVuT:5pGLWZIf2fPYuDgV

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\BITS\0411\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0407\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\040C\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\de-DE\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\ndisuio.inf	cmd.exe
File opened for modification	C:\Windows\INF\netnb.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\perfctr.h	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0000\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0C0A\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0410\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0C0A\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0407\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\040C\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0000\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0410\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0C0A\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\0407\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltbase.inf	cmd.exe
File opened for modification	C:\Windows\INF\en-US\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0000\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0409\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0407\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0000\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0C0A\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0407\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\CORPerfMonSymbols.h	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0000\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0410\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0407\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0409\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0407\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0411\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\rasctrnm.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0C0A\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0409\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0410\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\it-IT\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0410\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0C0A\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0410\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\idxcntrs.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0000\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0411\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\040C\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\040C\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0C0A\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0409\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\es-ES\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0407\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0409\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0410\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0410\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0411\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0407\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0409\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\0000\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\040C\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\puwk.inf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "192168118080-29346-13188-2924923564"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "192168118080-293461318829249"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "192168118080-29346-13188-2924923564"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2068	ipconfig.exe
3036	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2068	taskkill.exe
1712	taskkill.exe
2852	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1212	reg.exe
1676	reg.exe
2212	reg.exe
2092	reg.exe
2888	reg.exe
768	reg.exe
2860	reg.exe
2472	reg.exe
2584	reg.exe
2264	reg.exe
1292	reg.exe
1820	reg.exe
2816	reg.exe
2668	reg.exe
1676	reg.exe
2704	reg.exe
2044	reg.exe
2504	reg.exe
588	reg.exe
3028	reg.exe
2044	reg.exe
1852	reg.exe
824	reg.exe
1512	reg.exe
1548	reg.exe
1664	reg.exe
644	reg.exe
2228	reg.exe
1064	reg.exe
2016	reg.exe
880	reg.exe
1808	reg.exe
2440	reg.exe
2980	reg.exe
2752	reg.exe
2108	reg.exe
2516	reg.exe
2448	reg.exe
948	reg.exe
2928	reg.exe
1320	reg.exe
2652	reg.exe
1728	reg.exe
2728	reg.exe
2464	reg.exe
2608	reg.exe
1468	reg.exe
2684	reg.exe
2716	reg.exe
2288	reg.exe
2684	reg.exe
2688	reg.exe
1976	reg.exe
2980	reg.exe
1096	reg.exe
3048	reg.exe
2312	reg.exe
3024	reg.exe
2340	reg.exe
1388	reg.exe
1124	reg.exe
2300	reg.exe
2816	reg.exe
2708	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	Fortnite-Cleaner.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2044	2384	Fortnite-Cleaner.exe	29
PID 2384 wrote to memory of 2044	2384	Fortnite-Cleaner.exe	29
PID 2384 wrote to memory of 2044	2384	Fortnite-Cleaner.exe	29
PID 2384 wrote to memory of 2412	2384	Fortnite-Cleaner.exe	31
PID 2384 wrote to memory of 2412	2384	Fortnite-Cleaner.exe	31
PID 2384 wrote to memory of 2412	2384	Fortnite-Cleaner.exe	31
PID 2384 wrote to memory of 2700	2384	Fortnite-Cleaner.exe	33
PID 2384 wrote to memory of 2700	2384	Fortnite-Cleaner.exe	33
PID 2384 wrote to memory of 2700	2384	Fortnite-Cleaner.exe	33
PID 2384 wrote to memory of 2800	2384	Fortnite-Cleaner.exe	35
PID 2384 wrote to memory of 2800	2384	Fortnite-Cleaner.exe	35
PID 2384 wrote to memory of 2800	2384	Fortnite-Cleaner.exe	35
PID 2384 wrote to memory of 2792	2384	Fortnite-Cleaner.exe	37
PID 2384 wrote to memory of 2792	2384	Fortnite-Cleaner.exe	37
PID 2384 wrote to memory of 2792	2384	Fortnite-Cleaner.exe	37
PID 2384 wrote to memory of 2696	2384	Fortnite-Cleaner.exe	39
PID 2384 wrote to memory of 2696	2384	Fortnite-Cleaner.exe	39
PID 2384 wrote to memory of 2696	2384	Fortnite-Cleaner.exe	39
PID 2384 wrote to memory of 2304	2384	Fortnite-Cleaner.exe	41
PID 2384 wrote to memory of 2304	2384	Fortnite-Cleaner.exe	41
PID 2384 wrote to memory of 2304	2384	Fortnite-Cleaner.exe	41
PID 2384 wrote to memory of 2588	2384	Fortnite-Cleaner.exe	43
PID 2384 wrote to memory of 2588	2384	Fortnite-Cleaner.exe	43
PID 2384 wrote to memory of 2588	2384	Fortnite-Cleaner.exe	43
PID 2384 wrote to memory of 2580	2384	Fortnite-Cleaner.exe	45
PID 2384 wrote to memory of 2580	2384	Fortnite-Cleaner.exe	45
PID 2384 wrote to memory of 2580	2384	Fortnite-Cleaner.exe	45
PID 2384 wrote to memory of 2724	2384	Fortnite-Cleaner.exe	47
PID 2384 wrote to memory of 2724	2384	Fortnite-Cleaner.exe	47
PID 2384 wrote to memory of 2724	2384	Fortnite-Cleaner.exe	47
PID 2384 wrote to memory of 2556	2384	Fortnite-Cleaner.exe	49
PID 2384 wrote to memory of 2556	2384	Fortnite-Cleaner.exe	49
PID 2384 wrote to memory of 2556	2384	Fortnite-Cleaner.exe	49
PID 2384 wrote to memory of 2616	2384	Fortnite-Cleaner.exe	51
PID 2384 wrote to memory of 2616	2384	Fortnite-Cleaner.exe	51
PID 2384 wrote to memory of 2616	2384	Fortnite-Cleaner.exe	51
PID 2384 wrote to memory of 2120	2384	Fortnite-Cleaner.exe	53
PID 2384 wrote to memory of 2120	2384	Fortnite-Cleaner.exe	53
PID 2384 wrote to memory of 2120	2384	Fortnite-Cleaner.exe	53
PID 2384 wrote to memory of 1808	2384	Fortnite-Cleaner.exe	55
PID 2384 wrote to memory of 1808	2384	Fortnite-Cleaner.exe	55
PID 2384 wrote to memory of 1808	2384	Fortnite-Cleaner.exe	55
PID 2384 wrote to memory of 2960	2384	Fortnite-Cleaner.exe	57
PID 2384 wrote to memory of 2960	2384	Fortnite-Cleaner.exe	57
PID 2384 wrote to memory of 2960	2384	Fortnite-Cleaner.exe	57
PID 2384 wrote to memory of 2124	2384	Fortnite-Cleaner.exe	59
PID 2384 wrote to memory of 2124	2384	Fortnite-Cleaner.exe	59
PID 2384 wrote to memory of 2124	2384	Fortnite-Cleaner.exe	59
PID 2384 wrote to memory of 1724	2384	Fortnite-Cleaner.exe	60
PID 2384 wrote to memory of 1724	2384	Fortnite-Cleaner.exe	60
PID 2384 wrote to memory of 1724	2384	Fortnite-Cleaner.exe	60
PID 1724 wrote to memory of 1712	1724	cmd.exe	62
PID 1724 wrote to memory of 1712	1724	cmd.exe	62
PID 1724 wrote to memory of 1712	1724	cmd.exe	62
PID 2384 wrote to memory of 1596	2384	Fortnite-Cleaner.exe	64
PID 2384 wrote to memory of 1596	2384	Fortnite-Cleaner.exe	64
PID 2384 wrote to memory of 1596	2384	Fortnite-Cleaner.exe	64
PID 1596 wrote to memory of 2852	1596	cmd.exe	66
PID 1596 wrote to memory of 2852	1596	cmd.exe	66
PID 1596 wrote to memory of 2852	1596	cmd.exe	66
PID 2384 wrote to memory of 2880	2384	Fortnite-Cleaner.exe	67
PID 2384 wrote to memory of 2880	2384	Fortnite-Cleaner.exe	67
PID 2384 wrote to memory of 2880	2384	Fortnite-Cleaner.exe	67
PID 2880 wrote to memory of 2068	2880	cmd.exe	69

C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
  2⤵
  PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s D:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s E:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s F:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  PID:2660
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    - Modifies registry key
    PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2688
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 293461318829249235642818317764256342948314521129951547728703 /f
    3⤵
    - Modifies registry key
    PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 293461318829249235642818317764256342948314521129951547728703 /f
    3⤵
    - Modifies registry key
    PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-29346 /f
    3⤵
    - Modifies registry key
    PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-29346 /f
    3⤵
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 19216811808029346-13188-29249-23564 /f
    3⤵
    PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-%random%-%random} /f
  2⤵
  PID:2852
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-29346-%random} /f
    3⤵
    PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-293461318829249 /f
    3⤵
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:2508
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-29346 /f
    3⤵
    - Modifies registry key
    PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-29346 /f
    3⤵
    - Modifies registry key
    PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-293461318829249 /f
    3⤵
    - Enumerates system info in registry
    PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29346-13188-2924923564} /f
    3⤵
    PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:712
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29346-13188-2924923564} /f
    3⤵
    PID:1028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2424
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-29346-13188-2924923564} /f
    3⤵
    - Modifies registry key
    PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:352
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2072
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Modifies registry key
    PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Modifies registry key
    PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:620
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Modifies registry key
    PID:1096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Modifies registry key
    PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-29346-13188-2924923564 /f
    3⤵
    - Enumerates system info in registry
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1156
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-29346-13188-2924923564} /f
    3⤵
    - Modifies registry key
    PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-29346-13188-2924923564} /f
    3⤵
    - Modifies registry key
    PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2796
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-29346 /f
    3⤵
    - Modifies registry key
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:2804
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 29346 /f
    3⤵
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 29349 /f
    3⤵
    - Modifies registry key
    PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
  2⤵
  PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  2⤵
  PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-29349 /f
    3⤵
    PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
  2⤵
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {19216811808029349-23937-14345-148595730} /f
    3⤵
    - Modifies registry key
    PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {19216811808029349-23937-14345-148595730} /f
    3⤵
    - Modifies registry key
    PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29349 /f
    3⤵
    - Modifies registry key
    PID:2312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:1788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 29349 /f
    3⤵
    - Modifies registry key
    PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
  2⤵
  PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:3064
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 29349 /f
    3⤵
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29349-23937-14345-14859 /f
    3⤵
    PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
  2⤵
  PID:2096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
  2⤵
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:1520
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 19216811808029349-23937-14345-14859 /f
    3⤵
    - Modifies registry key
    PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
  2⤵
  PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19216811808029349-23937-14345-14859 /f
    3⤵
    - Modifies registry key
    PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
  2⤵
  PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
  2⤵
  PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 192168118080%random% /f
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 19216811808029349 /f
    3⤵
    - Modifies registry key
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
  2⤵
  PID:596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:532
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 29349 /f
    3⤵
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
  2⤵
  PID:756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:844
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 29349 /f
    3⤵
    - Modifies registry key
    PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
  2⤵
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%} /f
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {19216811808029349-23937-14345-14859} /f
    3⤵
    - Modifies registry key
    PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
  2⤵
  PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:2060
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29349-23937-14345-148595730 /f
    3⤵
    PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:980
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    PID:2192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:964
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:2172
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:944
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    - Modifies registry key
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2812
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2804
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2388
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:776
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:2608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:2104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:2064
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2528
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 29352191732209615416044256173185923628147766991518128791 /f
    3⤵
    - Modifies registry key
    PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-29355-12665-1730630218 /f
    3⤵
    - Modifies registry key
    PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-29355-12665-1730630218 /f
    3⤵
    - Modifies registry key
    PID:2860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2732
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-29355-12665-1730630218 /f
    3⤵
    - Modifies registry key
    PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    PID:1416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1672
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-29355-12665-1730630218 /f
    3⤵
    PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-29355-12665-1730630218 /f
    3⤵
    PID:1296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:2252
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    - Modifies registry key
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:3000
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    - Modifies registry key
    PID:588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:600
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    - Modifies registry key
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:532
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:756
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    - Modifies registry key
    PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:2456
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    - Modifies registry key
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:1140
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    - Modifies registry key
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:2404
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 29355126651730630218263592954422032070131288273191503328835 /f
    3⤵
    PID:1860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2644
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 293551266517306302182635929544220320701312882731915033 /f
    3⤵
    PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 2935512665173063021826359295442203207013128827319 /f
    3⤵
    - Modifies registry key
    PID:1064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1096
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 2935923414240221513390570353151777315031211711488528879 /f
    3⤵
    - Modifies registry key
    PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:284
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 2935923414240221513390570353151777315031211711488528879 /f
    3⤵
    - Modifies registry key
    PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 2935923414240221513390570353151777315031 /f
    3⤵
    - Modifies registry key
    PID:2108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 2935923414240221513390570353151777315031 /f
    3⤵
    - Modifies registry key
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3020
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 2935923414240221513390570353151777315031 /f
    3⤵
    PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 29359234142402 /f
    3⤵
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 29359234142402 /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:944
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 29359234142402 /f
    3⤵
    - Modifies registry key
    PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2412
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 29359234142402 /f
    3⤵
    - Modifies registry key
    PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 2935923414240221513390570353151777315031211711488528879 /f
    3⤵
    - Modifies registry key
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {29359-23414-240221513} /f
    3⤵
    - Modifies registry key
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:2812
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:2768
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INT IP RESET
  2⤵
  PID:2752
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV4 RESET
  2⤵
  PID:2464
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV6 RESET
  2⤵
  PID:1908
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE TCP RESET
  2⤵
  PID:2300
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /RELEASE
  2⤵
  PID:1304
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /FLUSHDNS
  2⤵
  PID:3064
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -R
  2⤵
  PID:1728
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -RR
  2⤵
  PID:2092
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:1432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
  2⤵
  PID:2228
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1523859996-2108194897-1723060912-6098835231436842082-1042462806179773955417297415"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "321115443-1759061107407393877933232391-91339711203837300497582159-1717002484"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1460458060598611047152990607411607178956449891916374960582446056821225876927"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2124013067-195021121620597733071197189342-1641481440801325307-15338488381610071596"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86683859248286909-1650238572388313758-21028509071279040357-1083007563149064696"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1448678288-148920748420850198181301549390-170911588317991822131966707693821646554"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "858639856-926062737-1634591377799996081940362674-1550751482-757614543808442595"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1340262801-805276767-4469189301809671176561039270905853860-137885110075140833"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12326871981999822156-99424820-1971865512-12415271475531541099661962022124262812"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1300498335-121054248116540538951905189431-627942008-4454738522075910645-2086029375"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17314511831264857850299503885232095663-1418595815-1456619672-56011977946041544"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1762571205-1269596301809085981-1170485748-1136628711-15812535271609828379-2140829759"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8643202615113135491375698446-1800524981-4707961886408366433009564731838084165"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-112943276510872046001254174205-2029424779-1075014374235115351-1468510269972107488"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10520929711251704935535113022-4251647756848278001959346486496856580-1465351648"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "912015991-1025381170142021708016039217392007485290-4221597842128688009704054733"
1⤵
PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1383565137-2015105005-330410116-128811951-1024226096-575892519288327827-1119755909"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3556568841912844634853739241-611226726-418601487404041795-3323495921342025318"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1558697747833140332-1332441073-81347295418515997471255749093-9824255-2056908451"
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads