561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43

Resubmissions

14/06/2024, 13:54

240614-q7y8nstbpf 7

14/06/2024, 13:52

240614-q6wq6axbnp 7

Analysis

max time kernel
8s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite-Cleaner.exe
Size

426KB
MD5

a158fb5bce9e7f3adf129939d25f96df
SHA1

28adc37dee6605dc90e521fdc1c3d8c9fee2eab1
SHA256

561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43
SHA512

5b2272fe5ec5a3fd3fd2dc0684817b7b917c81b8bbe0d50513acbd15c04e0a954d55fdf2632848f98004e4dd1eaf9c0475688ebceb97936d742338dd5a3198c5
SSDEEP

12288:G6R/iFHrLFmA/nsZIf2AKV1Biu5xgVuT:5pGLWZIf2fPYuDgV

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	Fortnite-Cleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\c_fssystemrecovery.inf	cmd.exe
File opened for modification	C:\Windows\INF\dshowext.inf	cmd.exe
File opened for modification	C:\Windows\INF\urschipidea.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvpci.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA5703~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NET Memory Cache 4.0\netmemorycache.ini	cmd.exe
File opened for modification	C:\Windows\INF\megasas.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0C0A\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\tpm.inf	cmd.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\PerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\iscsi.inf	cmd.exe
File opened for modification	C:\Windows\INF\sdbus.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAE854~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\cpu.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fdc.inf	cmd.exe
File opened for modification	C:\Windows\INF\pcmcia.inf	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\DIRECT~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAC5E1~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\netr28ux.inf	cmd.exe
File opened for modification	C:\Windows\INF\netvchannel.inf	cmd.exe
File opened for modification	C:\Windows\INF\netwns64.inf	cmd.exe
File opened for modification	C:\Windows\INF\netl160a.inf	cmd.exe
File opened for modification	C:\Windows\INF\netmscli.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_fsvirtualization.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmhaeu.inf	cmd.exe
File opened for modification	C:\Windows\INF\termkbd.inf	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0C0A\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LAF330~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA5915~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\storufs.inf	cmd.exe
File opened for modification	C:\Windows\INF\wpdcomp.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA6643~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA434A~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\bthpan.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_monitor.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_smrdisk.inf	cmd.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_hfp_hf.inf	cmd.exe
File opened for modification	C:\Windows\INF\netimm.inf	cmd.exe
File opened for modification	C:\Windows\INF\wvmbus.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATFI~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking\0410\_Networkingperfcounters_v2_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\net7500-x64-n650f.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\040C\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\.NET Memory Cache 4.0\0410\netmemorycache_d.ini	cmd.exe
File opened for modification	C:\Windows\INF\dwup-noregkeys.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmcxhv6.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmdsi.inf	cmd.exe
File opened for modification	C:\Windows\INF\pnpxinternetgatewaydevices.inf	cmd.exe
File opened for modification	C:\Windows\INF\usbxhci.inf	cmd.exe
File opened for modification	C:\Windows\INF\wstorflt.inf	cmd.exe
File opened for modification	C:\Windows\INF\c_display.inf	cmd.exe
File opened for modification	C:\Windows\INF\ksfilter.inf	cmd.exe
File opened for modification	C:\Windows\INF\hidinterrupt.inf	cmd.exe
File opened for modification	C:\Windows\INF\mdmarch.inf	cmd.exe
File opened for modification	C:\Windows\INF\SMSVCH~1.0\040C\_SMSvcHostPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\LA2B9F~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\c_linedisplay.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdpbus.inf	cmd.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\RSATWS~1.MUM	cmd.exe
File opened for modification	C:\Windows\INF\mdmntt1.inf	cmd.exe
File opened for modification	C:\Windows\INF\netbc63a.inf	cmd.exe
File opened for modification	C:\Windows\INF\nulhpopr.inf	cmd.exe
File opened for modification	C:\Windows\INF\tape.inf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "192168118080-29352191732209"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "192168118080-29352-1917-322096154"	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "192168118080-29352-1917-322096154"	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1040	ipconfig.exe
2000	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1956	taskkill.exe
2264	taskkill.exe
3336	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3364	reg.exe
1320	reg.exe
4324	reg.exe
3208	reg.exe
4060	reg.exe
3232	reg.exe
4008	reg.exe
4888	reg.exe
5072	reg.exe
4888	reg.exe
2300	reg.exe
1544	reg.exe
4436	reg.exe
1692	reg.exe
1456	reg.exe
4484	reg.exe
4320	reg.exe
4368	reg.exe
3008	reg.exe
1932	reg.exe
1548	reg.exe
3744	reg.exe
312	reg.exe
4356	reg.exe
4192	reg.exe
3168	reg.exe
2452	reg.exe
4196	reg.exe
4404	reg.exe
1856	reg.exe
3480	reg.exe
1880	reg.exe
4296	reg.exe
1196	reg.exe
3504	reg.exe
1900	reg.exe
3228	reg.exe
3784	reg.exe
1556	reg.exe
1452	reg.exe
2892	reg.exe
1040	reg.exe
1540	reg.exe
4996	reg.exe
3488	reg.exe
4440	reg.exe
3344	reg.exe
4640	reg.exe
3080	reg.exe
5076	reg.exe
1016	reg.exe
4956	reg.exe
1960	reg.exe
3772	reg.exe
2504	reg.exe
4280	reg.exe
1084	reg.exe
1540	reg.exe
1704	reg.exe
1980	reg.exe
4880	reg.exe
3720	reg.exe
2432	reg.exe
640	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
116	Fortnite-Cleaner.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1864	116	Fortnite-Cleaner.exe	85
PID 116 wrote to memory of 1864	116	Fortnite-Cleaner.exe	85
PID 116 wrote to memory of 1256	116	Fortnite-Cleaner.exe	87
PID 116 wrote to memory of 1256	116	Fortnite-Cleaner.exe	87
PID 116 wrote to memory of 4592	116	Fortnite-Cleaner.exe	89
PID 116 wrote to memory of 4592	116	Fortnite-Cleaner.exe	89
PID 116 wrote to memory of 2272	116	Fortnite-Cleaner.exe	91
PID 116 wrote to memory of 2272	116	Fortnite-Cleaner.exe	91
PID 116 wrote to memory of 400	116	Fortnite-Cleaner.exe	93
PID 116 wrote to memory of 400	116	Fortnite-Cleaner.exe	93
PID 116 wrote to memory of 2728	116	Fortnite-Cleaner.exe	96
PID 116 wrote to memory of 2728	116	Fortnite-Cleaner.exe	96
PID 116 wrote to memory of 4408	116	Fortnite-Cleaner.exe	98
PID 116 wrote to memory of 4408	116	Fortnite-Cleaner.exe	98
PID 116 wrote to memory of 3016	116	Fortnite-Cleaner.exe	101
PID 116 wrote to memory of 3016	116	Fortnite-Cleaner.exe	101
PID 116 wrote to memory of 3548	116	Fortnite-Cleaner.exe	104
PID 116 wrote to memory of 3548	116	Fortnite-Cleaner.exe	104
PID 116 wrote to memory of 1948	116	Fortnite-Cleaner.exe	105
PID 116 wrote to memory of 1948	116	Fortnite-Cleaner.exe	105
PID 1948 wrote to memory of 1956	1948	cmd.exe	107
PID 1948 wrote to memory of 1956	1948	cmd.exe	107
PID 116 wrote to memory of 2288	116	Fortnite-Cleaner.exe	109
PID 116 wrote to memory of 2288	116	Fortnite-Cleaner.exe	109
PID 2288 wrote to memory of 2264	2288	cmd.exe	111
PID 2288 wrote to memory of 2264	2288	cmd.exe	111
PID 116 wrote to memory of 3160	116	Fortnite-Cleaner.exe	112
PID 116 wrote to memory of 3160	116	Fortnite-Cleaner.exe	112
PID 116 wrote to memory of 1756	116	Fortnite-Cleaner.exe	114
PID 116 wrote to memory of 1756	116	Fortnite-Cleaner.exe	114
PID 116 wrote to memory of 2352	116	Fortnite-Cleaner.exe	116
PID 116 wrote to memory of 2352	116	Fortnite-Cleaner.exe	116
PID 1756 wrote to memory of 3336	1756	cmd.exe	118
PID 1756 wrote to memory of 3336	1756	cmd.exe	118
PID 116 wrote to memory of 4868	116	Fortnite-Cleaner.exe	119
PID 116 wrote to memory of 4868	116	Fortnite-Cleaner.exe	119
PID 116 wrote to memory of 2800	116	Fortnite-Cleaner.exe	121
PID 116 wrote to memory of 2800	116	Fortnite-Cleaner.exe	121
PID 116 wrote to memory of 1920	116	Fortnite-Cleaner.exe	123
PID 116 wrote to memory of 1920	116	Fortnite-Cleaner.exe	123
PID 116 wrote to memory of 1496	116	Fortnite-Cleaner.exe	125
PID 116 wrote to memory of 1496	116	Fortnite-Cleaner.exe	125
PID 116 wrote to memory of 4996	116	Fortnite-Cleaner.exe	127
PID 116 wrote to memory of 4996	116	Fortnite-Cleaner.exe	127
PID 116 wrote to memory of 4672	116	Fortnite-Cleaner.exe	129
PID 116 wrote to memory of 4672	116	Fortnite-Cleaner.exe	129
PID 116 wrote to memory of 3080	116	Fortnite-Cleaner.exe	131
PID 116 wrote to memory of 3080	116	Fortnite-Cleaner.exe	131
PID 116 wrote to memory of 1044	116	Fortnite-Cleaner.exe	133
PID 116 wrote to memory of 1044	116	Fortnite-Cleaner.exe	133
PID 116 wrote to memory of 2344	116	Fortnite-Cleaner.exe	135
PID 116 wrote to memory of 2344	116	Fortnite-Cleaner.exe	135
PID 116 wrote to memory of 1256	116	Fortnite-Cleaner.exe	137
PID 116 wrote to memory of 1256	116	Fortnite-Cleaner.exe	137
PID 116 wrote to memory of 4764	116	Fortnite-Cleaner.exe	139
PID 116 wrote to memory of 4764	116	Fortnite-Cleaner.exe	139
PID 116 wrote to memory of 552	116	Fortnite-Cleaner.exe	141
PID 116 wrote to memory of 552	116	Fortnite-Cleaner.exe	141
PID 116 wrote to memory of 1524	116	Fortnite-Cleaner.exe	143
PID 116 wrote to memory of 1524	116	Fortnite-Cleaner.exe	143
PID 116 wrote to memory of 3308	116	Fortnite-Cleaner.exe	145
PID 116 wrote to memory of 3308	116	Fortnite-Cleaner.exe	145
PID 116 wrote to memory of 3880	116	Fortnite-Cleaner.exe	147
PID 116 wrote to memory of 3880	116	Fortnite-Cleaner.exe	147

C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
  2⤵
  PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
  2⤵
  PID:4592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s D:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s E:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s F:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:4408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  - Drops file in Windows directory
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:3160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:4868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:4672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:4764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  PID:3308
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    - Modifies registry key
    PID:3480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:4408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2276
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 2934923937143451485957302169128746265553103268471532928747 /f
    3⤵
    - Modifies registry key
    PID:4436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    - Modifies registry key
    PID:3720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2934923937143451485957302169128746265553103268471532928747 /f
    3⤵
    PID:3168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2992
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-29349 /f
    3⤵
    PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-29349 /f
    3⤵
    - Modifies registry key
    PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 19216811808029349-23937-14345-14859 /f
    3⤵
    - Modifies registry key
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:1404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-%random%-%random} /f
  2⤵
  PID:4880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-29349-%random} /f
    3⤵
    - Modifies registry key
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-29352191732209 /f
    3⤵
    - Modifies registry key
    PID:3364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:1044
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-29352 /f
    3⤵
    - Modifies registry key
    PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:3696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:2712
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-29352 /f
    3⤵
    - Modifies registry key
    PID:5072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:3396
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-29352191732209 /f
    3⤵
    - Enumerates system info in registry
    PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:4248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29352-1917-322096154} /f
    3⤵
    PID:4584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:5020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29352-1917-322096154} /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-29352-1917-322096154} /f
    3⤵
    - Modifies registry key
    PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    PID:3100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4636
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4688
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:4296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2560
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:1084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Modifies registry key
    PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-29352-1917-322096154 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:4148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4788
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-29355-12665-1730630218} /f
    3⤵
    - Modifies registry key
    PID:4324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:4764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-29355-12665-1730630218} /f
    3⤵
    - Modifies registry key
    PID:3488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-29355 /f
    3⤵
    PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:312
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 29355 /f
    3⤵
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 29355 /f
    3⤵
    - Modifies registry key
    PID:3772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:796
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-29355 /f
    3⤵
    - Modifies registry key
    PID:1196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:4060
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {19216811808029355-12665-17306-3021826359} /f
    3⤵
    PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1084
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {19216811808029355-12665-17306-3021826359} /f
    3⤵
    - Modifies registry key
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29355 /f
    3⤵
    - Modifies registry key
    PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:1032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 29355 /f
    3⤵
    PID:4484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:3592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 29355 /f
    3⤵
    - Modifies registry key
    PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29355-12665-17306-30218 /f
    3⤵
    - Modifies registry key
    PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:60
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4584
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 19216811808029355-12665-17306-30218 /f
    3⤵
    PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:4396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:3288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19216811808029355-12665-17306-30218 /f
    3⤵
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 192168118080%random% /f
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 19216811808029359 /f
    3⤵
    - Modifies registry key
    PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:2220
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 29359 /f
    3⤵
    - Modifies registry key
    PID:3208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:724
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:4628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 29359 /f
    3⤵
    - Modifies registry key
    PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%} /f
  2⤵
  PID:2580
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {19216811808029359-23414-2402-21513} /f
    3⤵
    - Modifies registry key
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:4640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1780
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29359-23414-2402-215133905 /f
    3⤵
    - Modifies registry key
    PID:1456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:4372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:4484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:956
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:1704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:3596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:3228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:5056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:3868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:3800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:4012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:1196
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:3968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    PID:1452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3212
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    - Modifies registry key
    PID:4320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2580
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4364
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    - Modifies registry key
    PID:4356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3080
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-29362-1394-2026612808 /f
    3⤵
    PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:4368
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:3444
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:732
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    PID:3396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:1608
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1720
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:3552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:4176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2340
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:3344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 29365121435362410424534855611540119191528688751458928967 /f
    3⤵
    - Modifies registry key
    PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-29365-12143-53624104 /f
    3⤵
    PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:824
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-29365-12143-53624104 /f
    3⤵
    - Modifies registry key
    PID:4192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:4104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-29365-12143-53624104 /f
    3⤵
    - Modifies registry key
    PID:3168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:4940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3968
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:3232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3164
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-29365-12143-53624104 /f
    3⤵
    - Modifies registry key
    PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2428
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-29365-12143-53624104 /f
    3⤵
    PID:4924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    - Modifies registry key
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    - Modifies registry key
    PID:4880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:4988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    - Modifies registry key
    PID:3784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:4640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    - Modifies registry key
    PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:1880
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    - Modifies registry key
    PID:4368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:2836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4624
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    PID:4472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:1896
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 293682289123226281672081124831465389923179827271444129011 /f
    3⤵
    PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2936822891232262816720811248314653899231798272714441 /f
    3⤵
    PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:552
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 29368228912322628167208112483146538992317982727 /f
    3⤵
    - Modifies registry key
    PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 293682289123226281672081124831465389923179827271444129011 /f
    3⤵
    - Modifies registry key
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3288
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 293682289123226281672081124831465389923179827271444129011 /f
    3⤵
    PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 29372871832219462123961641017765606415542 /f
    3⤵
    PID:4300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 29372871832219462123961641017765606415542 /f
    3⤵
    - Modifies registry key
    PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 29372871832219462123961641017765606415542 /f
    3⤵
    PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:3232
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 293728718322 /f
    3⤵
    - Modifies registry key
    PID:1452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 293728718322 /f
    3⤵
    - Modifies registry key
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:468
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 293728718322 /f
    3⤵
    - Modifies registry key
    PID:4008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:3040
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 293728718322 /f
    3⤵
    - Modifies registry key
    PID:5076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:3796
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 29372871832219462123961641017765606415542293471429329056 /f
    3⤵
    - Modifies registry key
    PID:4404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:404
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {29372-871-832219462} /f
    3⤵
    - Modifies registry key
    PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:4640
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:2448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4372
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INT IP RESET
  2⤵
  PID:4472
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV4 RESET
  2⤵
  PID:4604
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    PID:4252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV6 RESET
  2⤵
  PID:4148
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    PID:5056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE TCP RESET
  2⤵
  PID:4324
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    PID:4676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /RELEASE
  2⤵
  PID:3008
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /FLUSHDNS
  2⤵
  PID:2276
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -R
  2⤵
  PID:2140
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -RR
  2⤵
  PID:3976
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
  2⤵
  PID:1792
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads