561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43

Resubmissions

14/06/2024, 13:54

240614-q7y8nstbpf 7

14/06/2024, 13:52

240614-q6wq6axbnp 7

Analysis

max time kernel
8s
max time network
3s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite-Cleaner.exe
Size

426KB
MD5

a158fb5bce9e7f3adf129939d25f96df
SHA1

28adc37dee6605dc90e521fdc1c3d8c9fee2eab1
SHA256

561537d9facf1140ce4e3e25290c3bc31967c65d3d77c429afdea20557cb8e43
SHA512

5b2272fe5ec5a3fd3fd2dc0684817b7b917c81b8bbe0d50513acbd15c04e0a954d55fdf2632848f98004e4dd1eaf9c0475688ebceb97936d742338dd5a3198c5
SSDEEP

12288:G6R/iFHrLFmA/nsZIf2AKV1Biu5xgVuT:5pGLWZIf2fPYuDgV

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\NETCLR~2\040C\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0411\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0410\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\040C\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\fr-FR\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0C0A\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\WSEARC~1\0407\idxcntrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\netavpnt.inf	cmd.exe
File opened for modification	C:\Windows\INF\rdyboost\0000\ReadyBoostPerfCounters.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\0000\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0000\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netnb.inf	cmd.exe
File opened for modification	C:\Windows\INF\puwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\sceregvl.inf	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0410\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\_dataperfcounters_shared12_neutral.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETFRA~1\0C0A\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0407\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0409\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\_DataPerfCounters.h	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0411\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\dwup.inf	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\msdtcprf.h	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0407\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\0407\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~1\0410\_DataOracleClientPerfCounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\rasctrnm.h	cmd.exe
File opened for modification	C:\Windows\INF\UGTHRSVC\040C\gthrctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\apps.inf	cmd.exe
File opened for modification	C:\Windows\INF\de-DE\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0000\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0410\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0410\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0407\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\netavpna.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~1\0409\_DataPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ESENT\0C0A\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\it-IT\netavpnt.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~2.0\0409\_ServiceModelServicePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0000\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\lltdio.inf	cmd.exe
File opened for modification	C:\Windows\INF\netrass.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\040C\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\0407\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~3.0\0407\_ServiceModelOperationPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0000\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0C0A\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\defltwk.inf	cmd.exe
File opened for modification	C:\Windows\INF\SERVIC~1.0\0409\_ServiceModelEndpointPerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0000\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\REMOTE~1\0411\rasctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\usbhub\0407\usbperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTC\0411\msdtcprf.ini	cmd.exe
File opened for modification	C:\Windows\INF\UGATHE~1\040C\gsrvctr.ini	cmd.exe
File opened for modification	C:\Windows\INF\NETDAT~2\0409\_dataperfcounters_shared12_neutral_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0409\_TransactionBridgePerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\netsstpa.inf	cmd.exe
File opened for modification	C:\Windows\INF\NETCLR~2\0407\_Networkingperfcounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0409\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\INF\TAPISRV\0C0A\tapiperf.ini	cmd.exe
File opened for modification	C:\Windows\INF\TERMSE~1\0409\tslabels.ini	cmd.exe
File opened for modification	C:\Windows\INF\WINDOW~1.0\040C\PerfCounters_D.ini	cmd.exe
File opened for modification	C:\Windows\INF\ja-JP\netavpna.inf_loc	cmd.exe
File opened for modification	C:\Windows\INF\MSDTCB~1.0\0407\_TransactionBridgePerfCounters_D.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1\Identifier = "192168118080-29937-25338-1863220880"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct = "192168118080-2993314589768"	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "192168118080-29937-25338-1863220880"	reg.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1616	ipconfig.exe
2356	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1588	taskkill.exe
2508	taskkill.exe
2428	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\ClsidStore = 29946248156689275332552119386850115152522928631210304040	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
348	reg.exe
2364	reg.exe
2716	reg.exe
1744	reg.exe
2620	reg.exe
792	reg.exe
2496	reg.exe
3036	reg.exe
2668	reg.exe
1564	reg.exe
1572	reg.exe
652	reg.exe
1604	reg.exe
1520	reg.exe
3048	reg.exe
2464	reg.exe
2044	reg.exe
2428	reg.exe
2436	reg.exe
2884	reg.exe
2408	reg.exe
2412	reg.exe
1112	reg.exe
884	reg.exe
860	reg.exe
1704	reg.exe
624	reg.exe
1244	reg.exe
2828	reg.exe
2700	reg.exe
1156	reg.exe
1040	reg.exe
2932	reg.exe
2008	reg.exe
1040	reg.exe
2436	reg.exe
2400	reg.exe
1664	reg.exe
2992	reg.exe
2756	reg.exe
2884	reg.exe
1844	reg.exe
1544	reg.exe
568	reg.exe
2508	reg.exe
564	reg.exe
344	reg.exe
264	reg.exe
2980	reg.exe
1480	reg.exe
1460	reg.exe
1784	reg.exe
3008	reg.exe
2044	reg.exe
2852	reg.exe
560	reg.exe
2604	reg.exe
1668	reg.exe
800	reg.exe
2680	reg.exe
2756	reg.exe
1828	reg.exe
2824	reg.exe
1512	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2424	Fortnite-Cleaner.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2932	2424	Fortnite-Cleaner.exe	29
PID 2424 wrote to memory of 2932	2424	Fortnite-Cleaner.exe	29
PID 2424 wrote to memory of 2932	2424	Fortnite-Cleaner.exe	29
PID 2424 wrote to memory of 2372	2424	Fortnite-Cleaner.exe	31
PID 2424 wrote to memory of 2372	2424	Fortnite-Cleaner.exe	31
PID 2424 wrote to memory of 2372	2424	Fortnite-Cleaner.exe	31
PID 2424 wrote to memory of 1884	2424	Fortnite-Cleaner.exe	33
PID 2424 wrote to memory of 1884	2424	Fortnite-Cleaner.exe	33
PID 2424 wrote to memory of 1884	2424	Fortnite-Cleaner.exe	33
PID 2424 wrote to memory of 3000	2424	Fortnite-Cleaner.exe	35
PID 2424 wrote to memory of 3000	2424	Fortnite-Cleaner.exe	35
PID 2424 wrote to memory of 3000	2424	Fortnite-Cleaner.exe	35
PID 2424 wrote to memory of 3036	2424	Fortnite-Cleaner.exe	37
PID 2424 wrote to memory of 3036	2424	Fortnite-Cleaner.exe	37
PID 2424 wrote to memory of 3036	2424	Fortnite-Cleaner.exe	37
PID 2424 wrote to memory of 3032	2424	Fortnite-Cleaner.exe	39
PID 2424 wrote to memory of 3032	2424	Fortnite-Cleaner.exe	39
PID 2424 wrote to memory of 3032	2424	Fortnite-Cleaner.exe	39
PID 2424 wrote to memory of 2676	2424	Fortnite-Cleaner.exe	41
PID 2424 wrote to memory of 2676	2424	Fortnite-Cleaner.exe	41
PID 2424 wrote to memory of 2676	2424	Fortnite-Cleaner.exe	41
PID 2424 wrote to memory of 2772	2424	Fortnite-Cleaner.exe	43
PID 2424 wrote to memory of 2772	2424	Fortnite-Cleaner.exe	43
PID 2424 wrote to memory of 2772	2424	Fortnite-Cleaner.exe	43
PID 2424 wrote to memory of 2572	2424	Fortnite-Cleaner.exe	45
PID 2424 wrote to memory of 2572	2424	Fortnite-Cleaner.exe	45
PID 2424 wrote to memory of 2572	2424	Fortnite-Cleaner.exe	45
PID 2424 wrote to memory of 2336	2424	Fortnite-Cleaner.exe	47
PID 2424 wrote to memory of 2336	2424	Fortnite-Cleaner.exe	47
PID 2424 wrote to memory of 2336	2424	Fortnite-Cleaner.exe	47
PID 2424 wrote to memory of 2584	2424	Fortnite-Cleaner.exe	49
PID 2424 wrote to memory of 2584	2424	Fortnite-Cleaner.exe	49
PID 2424 wrote to memory of 2584	2424	Fortnite-Cleaner.exe	49
PID 2424 wrote to memory of 2840	2424	Fortnite-Cleaner.exe	51
PID 2424 wrote to memory of 2840	2424	Fortnite-Cleaner.exe	51
PID 2424 wrote to memory of 2840	2424	Fortnite-Cleaner.exe	51
PID 2424 wrote to memory of 2732	2424	Fortnite-Cleaner.exe	53
PID 2424 wrote to memory of 2732	2424	Fortnite-Cleaner.exe	53
PID 2424 wrote to memory of 2732	2424	Fortnite-Cleaner.exe	53
PID 2424 wrote to memory of 2140	2424	Fortnite-Cleaner.exe	54
PID 2424 wrote to memory of 2140	2424	Fortnite-Cleaner.exe	54
PID 2424 wrote to memory of 2140	2424	Fortnite-Cleaner.exe	54
PID 2424 wrote to memory of 2580	2424	Fortnite-Cleaner.exe	55
PID 2424 wrote to memory of 2580	2424	Fortnite-Cleaner.exe	55
PID 2424 wrote to memory of 2580	2424	Fortnite-Cleaner.exe	55
PID 2140 wrote to memory of 2508	2140	cmd.exe	58
PID 2140 wrote to memory of 2508	2140	cmd.exe	58
PID 2140 wrote to memory of 2508	2140	cmd.exe	58
PID 2424 wrote to memory of 2968	2424	Fortnite-Cleaner.exe	60
PID 2424 wrote to memory of 2968	2424	Fortnite-Cleaner.exe	60
PID 2424 wrote to memory of 2968	2424	Fortnite-Cleaner.exe	60
PID 2424 wrote to memory of 1476	2424	Fortnite-Cleaner.exe	62
PID 2424 wrote to memory of 1476	2424	Fortnite-Cleaner.exe	62
PID 2424 wrote to memory of 1476	2424	Fortnite-Cleaner.exe	62
PID 2424 wrote to memory of 2164	2424	Fortnite-Cleaner.exe	64
PID 2424 wrote to memory of 2164	2424	Fortnite-Cleaner.exe	64
PID 2424 wrote to memory of 2164	2424	Fortnite-Cleaner.exe	64
PID 2164 wrote to memory of 2428	2164	cmd.exe	66
PID 2164 wrote to memory of 2428	2164	cmd.exe	66
PID 2164 wrote to memory of 2428	2164	cmd.exe	66
PID 2424 wrote to memory of 2144	2424	Fortnite-Cleaner.exe	67
PID 2424 wrote to memory of 2144	2424	Fortnite-Cleaner.exe	67
PID 2424 wrote to memory of 2144	2424	Fortnite-Cleaner.exe	67
PID 2144 wrote to memory of 1588	2144	cmd.exe	69

C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite-Cleaner.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\system_no_output32\config\system_no_outputprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\system_no_output Volume Information\IndexerVolumeGuid
  2⤵
  PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\system_no_output32\restore\MachineGuid.txt
  2⤵
  PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s C:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s D:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s E:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rd /q /s F:\$Recycle.Bin >nul 2>&1
  2⤵
  PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\servicing\InboxFodMetadataCache
  2⤵
  PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete
  2⤵
  PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive\NSALCache
  2⤵
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Logs
  2⤵
  PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir / s / q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\FortniteGame\Saved
  2⤵
  PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\INF
  2⤵
  - Drops file in Windows directory
  PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\%username%\Microsoft\XboxLive
  2⤵
  PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\Public\Documents
  2⤵
  PID:1176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\CrashReportClient
  2⤵
  PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\temp
  2⤵
  PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\SettingSync\metastore
  2⤵
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\Microsoft\Windows\WER\Temp
  2⤵
  PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\DxCache
  2⤵
  PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Prefetch
  2⤵
  PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\username%\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\*.*
  2⤵
  PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache\*.*
  2⤵
  PID:1408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /a:h / a : a / q %systemdrive%\Users\%username%\AppData\Local\Microsoft\XboxLive\*.*
  2⤵
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC
  2⤵
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache
  2⤵
  PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\Settings
  2⤵
  PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\Engine\Plugins
  2⤵
  PID:704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Plugins
  2⤵
  PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\PersistentDownloadDir
  2⤵
  PID:1208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Program Files\Epic Games\Fortnite\FortniteGame\Config
  2⤵
  PID:1260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\NVIDIA Corporation
  2⤵
  PID:1224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\EasyAntiCheat
  2⤵
  PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\NetworksCache
  2⤵
  PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /s /q %systemdrive%\ProgramData\Microsoft\DataMart\PaidWiFi\Rules
  2⤵
  PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Temp
  2⤵
  PID:560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache
  2⤵
  PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies
  2⤵
  PID:284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IEDownloadHistory
  2⤵
  PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatUaCache
  2⤵
  PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    reg delete HKLM\System\CurrentControlSet\Control\TimeZoneInformation /f
    3⤵
    - Modifies registry key
    PID:800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\IECompatCache
  2⤵
  PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWAREMicrosoft\Windows" "NT\CurrentVersion\Notifications\Data /v 418A073AA3BC3475 /t REG_BINARY /d 2993314589768295841703036792881926861471920455216223864 /f
    3⤵
    PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\DNTException
  2⤵
  PID:1528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
  2⤵
  PID:2376
- - C:\Windows\system32\reg.exe
    reg delete HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /f
    3⤵
    - Checks processor information in registry
    PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE
  2⤵
  PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 2993314589768295841703036792881926861471920455216223864 /f
    3⤵
    - Modifies registry key
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History
  2⤵
  PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:3032
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d DESKTOP-29933 /f
    3⤵
    - Modifies registry key
    PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\History\Low
  2⤵
  PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d DESKTOP-29933 /f
    3⤵
    PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe\LocalState
  2⤵
  PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 19216811808029933-14589-768-29584 /f
    3⤵
    PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\EcsCache0
  2⤵
  PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-%random%-%random} /f
  2⤵
  PID:2732
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig /v LastConfig /t REG_SZ /d {192168118080-29933-%random} /f
    3⤵
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState
  2⤵
  PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\HardwareConfig\Current /v BaseBoardProduct /t REG_SZ /d 192168118080-2993314589768 /f
    3⤵
    - Modifies registry key
    PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3
  2⤵
  PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:2480
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLab /t REG_SZ /d 192168118080-29933 /f
    3⤵
    - Modifies registry key
    PID:2428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-%random% /f
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\Software\Microsoft /v BuildLabEx /t REG_SZ /d 192168118080-29933 /f
    3⤵
    PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\Intel
  2⤵
  PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-%random%%random%%random% /f
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v BaseBoardProduct /t REG_SZ /d 192168118080-2993314589768 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\kbdclass\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29933-14589-76829584} /f
    3⤵
    PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds Cache
  2⤵
  PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\EpicGamesLauncher
  2⤵
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\mouhid\Parameters /v WppRecorder_TraceGuid /t REG_SZ /d {192168118080-29933-14589-76829584} /f
    3⤵
    - Modifies registry key
    PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngine
  2⤵
  PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2836
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d {192168118080-29933-14589-76829584} /f
    3⤵
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildBranch /t REG_SZ /d 192168118080-29933-14589-76829584 /f
    3⤵
    - Modifies registry key
    PID:564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\UnrealEngineLauncher
  2⤵
  PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD
  2⤵
  PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1152
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 192168118080-29933-14589-76829584 /f
    3⤵
    - Modifies registry key
    PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\INTEL
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLab /t REG_SZ /d 192168118080-29933-14589-76829584 /f
    3⤵
    - Modifies registry key
    PID:652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\ntuser.ini
  2⤵
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "0\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29933-14589-76829584 /f
    3⤵
    - Modifies registry key
    PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache
  2⤵
  PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1964
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi" "Port" "1\Scsi" "Bus" "0\Target" "Id" "0\Logical" "Unit" "Id" "0 /v Identifier /t REG_SZ /d 192168118080-29937-25338-1863220880 /f
    3⤵
    - Modifies registry key
    PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\System Volume Information\IndexerVolumeGuid
  2⤵
  PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1296
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 /v Identifier /t REG_SZ /d 192168118080-29937-25338-1863220880 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0
  2⤵
  PID:352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1 /v Identifier /t REG_SZ /d 192168118080-29937-25338-1863220880 /f
    3⤵
    - Enumerates system info in registry
    - Modifies registry key
    PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v3.0
  2⤵
  PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\ControlSet001\Services\BasicDisplay\Video /v VideoID /t REG_SZ /d {192168118080-29937-25338-1863220880} /f
    3⤵
    PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Users\%username%\AppData\Local\Microsoft\Internet Explorer\Recovery
  2⤵
  PID:284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {192168118080-29937-25338-1863220880} /f
    3⤵
    PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Feeds
  2⤵
  PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1432
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d DESKTOP-29937 /f
    3⤵
    PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Windows\System32\restore\MachineGuid.txt
  2⤵
  PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d %random% /f
  2⤵
  PID:1536
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\ProgramData\Microsoft\Windows\WER
  2⤵
  PID:1528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d %random% /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\DevQuery\6 /v UUID /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-%random% /f
  2⤵
  PID:1008
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NV" "Hostname /t REG_SZ /d DESKTOP-29937 /f
    3⤵
    - Modifies registry key
    PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\Public\Libraries
  2⤵
  PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\MSOCache
  2⤵
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:2696
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {19216811808029937-25338-18632-2088027345} /f
    3⤵
    - Modifies registry key
    PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%%random%} /f
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {19216811808029937-25338-18632-2088027345} /f
    3⤵
    - Modifies registry key
    PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d %random% /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d %random% /f
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOwner /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Roaming\Microsoft\Windows\CloudStore
  2⤵
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d %random% /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v REGisteredOrganization /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:2408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\WebCache
  2⤵
  PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %random%-%random%-%random%-%random% /f
  2⤵
  PID:2268
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 29937-25338-18632-20880 /f
    3⤵
    PID:2140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
  2⤵
  PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:344
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 19216811808029937-25338-18632-20880 /f
    3⤵
    - Modifies registry key
    PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\ConnectedDevicesPlatform\L.%username%\ActivitiesCache.db-wal
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 192168118080%random%-%random%-%random%-%random% /f
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 19216811808029937-25338-18632-20880 /f
    3⤵
    PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  2⤵
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SoftwareDistribution\DataStore\Logs
  2⤵
  PID:1788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 192168118080%random% /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 19216811808029937 /f
    3⤵
    - Modifies registry key
    PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\ProgramData\USOShared\Logs\User
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f
  2⤵
  PID:844
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\D3DSCache
  2⤵
  PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 29937 /f
    3⤵
    - Modifies registry key
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {192168118080%random%-%random%-%random%-%random%} /f
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {19216811808029937-25338-18632-20880} /f
    3⤵
    - Modifies registry key
    PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
  2⤵
  PID:2976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\cache\qtshadercache
  2⤵
  PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG delete HKCU\Software\Epic" "Games /f
  2⤵
  PID:688
- - C:\Windows\system32\reg.exe
    REG delete HKCU\Software\Epic" "Games /f
    3⤵
    - Modifies registry key
    PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C @del /s /f /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat.log2
  2⤵
  PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d %random%-%random%-%random%-%random%%random% /f
  2⤵
  PID:1152
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Tracing\Microsoft\Profile\Profile /v Guid /t REG_SZ /d 29940-3318-3728-121754891 /f
    3⤵
    - Modifies registry key
    PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\VkCache
  2⤵
  PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Classes\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\AMD\CN\NewsFeed
  2⤵
  PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
  2⤵
  PID:444
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\EpicGames /f
    3⤵
    - Modifies registry key
    PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\WOW6432Node\Epic" "Games /f
    3⤵
    PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE\RHKRUA8J
  2⤵
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Users\%username%\AppData\Local\Microsoft\CLR_v4.0\UsageLogs
  2⤵
  PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCR\com.epicgames.launcher /f
  2⤵
  PID:760
- - C:\Windows\system32\reg.exe
    reg delete HKCR\com.epicgames.launcher /f
    3⤵
    PID:348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\Temp
  2⤵
  PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp
  2⤵
  PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:1704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q %systemdrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache
  2⤵
  PID:988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:608
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:876
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    - Modifies registry key
    PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /s /f /a:h /a:a /d C:\MSOCache\{71230000_00E2-0000-1000-00000000}\Setup.dat
  2⤵
  PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:1508
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum /f
    3⤵
    PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /t REG_SZ /d 192168118080-29940-3318-372812175 /f
    3⤵
    - Modifies registry key
    PID:2992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1852
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /t REG_SZ /d 192168118080-29940-3318-372812175 /f
    3⤵
    PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:3000
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /t REG_SZ /d 192168118080-29943-14066-215923470 /f
    3⤵
    - Modifies registry key
    PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
  2⤵
  PID:1008
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data /v SMBiosData /f
    3⤵
    - Modifies registry key
    PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2696
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v ClientUUID /t REG_SZ /d 192168118080-29943-14066-215923470 /f
    3⤵
    - Modifies registry key
    PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global /v PersistenceIdentifier /t REG_SZ /d 192168118080-29943-14066-215923470 /f
    3⤵
    - Modifies registry key
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\NVIDIA" "Corporation\Global\CoProcManager /v ChipsetMatchID /t REG_SZ /d 192168118080-29943-14066-215923470 /f
    3⤵
    PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SYSTEM\MountedDevices /f
  2⤵
  PID:2704
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\MountedDevices /f
    3⤵
    - Modifies registry key
    PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\com.epicgames.launcher /f
    3⤵
    - Modifies registry key
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Dfrg\Statistics /f
    3⤵
    - Modifies registry key
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
  2⤵
  PID:1676
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume /f
    3⤵
    - Modifies registry key
    PID:1668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
  2⤵
  PID:2392
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume /f
    3⤵
    PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f
    3⤵
    - Modifies registry key
    PID:1844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
  2⤵
  PID:2148
- - C:\Windows\system32\reg.exe
    reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket /v LastEnum /f
    3⤵
    - Modifies registry key
    PID:344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Interface /v ClsidStore /t REG_BINARY /d 29946248156689275332552119386850115152522928631210304040 /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:296
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 192168118080-29946-24815-668927533 /f
    3⤵
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 192168118080-29946-24815-668927533 /f
    3⤵
    - Modifies registry key
    PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d 192168118080-29946-24815-668927533 /f
    3⤵
    - Modifies registry key
    PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
  2⤵
  PID:2452
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Classes\Interface /v ClsidStore /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:844
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v _DriverProviderInfo /t REG_SZ /d 192168118080-29946-24815-668927533 /f
    3⤵
    - Modifies registry key
    PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-%random%-%random%-%random%%random% /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v UserModeDriverGUID /t REG_SZ /d 192168118080-29950-2795-2455318829 /f
    3⤵
    PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
  2⤵
  PID:2860
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests /f
    3⤵
    PID:2976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v BackupProductKeyDefault /f
    3⤵
    - Modifies registry key
    PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v actionlist /f
    3⤵
    - Modifies registry key
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:792
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
  2⤵
  PID:2792
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /f
    3⤵
    PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History /f
    3⤵
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Hex-Rays\IDA\History64 /f
    3⤵
    - Modifies registry key
    PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
  2⤵
  PID:2020
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\SoftwareProtectionPlatform /v ServiceSessionId /f
    3⤵
    - Modifies registry key
    PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Direct3D /v WHQLClass /t REG_BINARY /d 299502795245531882930672331311613122252174122483208824084 /f
    3⤵
    - Modifies registry key
    PID:1156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\Installer\Dependencies /v MSICache /t REG_BINARY /d 2995313544964910124133822724014726929754851633520734 /f
    3⤵
    PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1224
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI /v WindowsAIKHash /t REG_BINARY /d 29953135449649101241338227240147269297548516335 /f
    3⤵
    - Modifies registry key
    PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /t REG_BINARY /d 29953135449649101241338227240147269297548516335207344128 /f
    3⤵
    - Modifies registry key
    PID:348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\SYSTEM\CurrentControlSet\Services\TPM\ODUID /v RandomSeed /t REG_BINARY /d 29953135449649101241338227240147269297548516335207344128 /f
    3⤵
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2088
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Internet" "Explorer\Migration /v IE" "Installed" "Date /t REG_BINARY /d 299531354496491012413382272401472692975485 /f
    3⤵
    PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:1116
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId /t REG_BINARY /d 299531354496491012413382272401472692975485 /f
    3⤵
    - Modifies registry key
    PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v DigitalProductId4 /t REG_BINARY /d 299531354496491012413382272401472692975485 /f
    3⤵
    - Modifies registry key
    PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 29953135449649 /f
    3⤵
    PID:2108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1868
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 29953135449649 /f
    3⤵
    - Modifies registry key
    PID:884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 29953135449649 /f
    3⤵
    - Modifies registry key
    PID:1572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d %random%%random%%random% /f
  2⤵
  PID:1856
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleEventlogManager /v LastEventlogWrittenTime /t REG_QWORD /d 29953135449649 /f
    3⤵
    - Modifies registry key
    PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% /f
  2⤵
  PID:2196
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Control\Notifications /v 418A073AA3BC8075 /t REG_BINARY /d 29953135449649101241338227240147269297548516335207344128 /f
    3⤵
    PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {%random%-%random%-%random%%random%} /f
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-EventTracing/Admin /v OwningPublisher /t REG_SZ /d {29956-24292-275131419} /f
    3⤵
    - Modifies registry key
    PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:2376
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH WINSOCK RESET
  2⤵
  PID:1636
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INT IP RESET
  2⤵
  PID:2756
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV4 RESET
  2⤵
  PID:2572
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE IPV6 RESET
  2⤵
  PID:2704
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NETSH INTERFACE TCP RESET
  2⤵
  PID:2692
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /RELEASE
  2⤵
  PID:2468
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:2356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C IPCONFIG /FLUSHDNS
  2⤵
  PID:2672
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -R
  2⤵
  PID:1360
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C NBTSTAT -RR
  2⤵
  PID:2152
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
  2⤵
  PID:1932
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    PID:1452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "336478113-91010025914370705111179775282-1609647770-1064384661103125052-14648422"
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-983105743654283372036020374-1489934454-1512156207404626306-201306536-727305049"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35033585-168990796-52814465-17844239901393050287-13057654911005382003-1738071799"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8916199591773288343-1166737706323345626-815961777354352377-1817172191631206741"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "827469839-713816768-1802850928-102359440357770770749611321307705227785455821"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "985545480-301594351-212975234-164602359315233105191217176448-3187818771767992353"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7471032061316800705-1867977254-1798786680-387823949-328835648-2142045178-218007158"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2121984635-18076148801322744442-1444879539568994587-18374478520243410631031028574"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-910700353620028846-878376598-5651486764438131061167460732-5085851512005085555"
1⤵
PID:2228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1190376567-18274590512503068991876264320-1013789128889510015328347862042132683"
1⤵
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1206876566153028478220060939792095393044437419691-502106640-18791220751467246221"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "583682534562551472689059204-2117405220-737862714-179443168-895023013765417765"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2096026216-1483065657-11193639141086425317-55649057926399823811948281131640722343"
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1599843843-246863830120715472837466773017911985122084432043-18339797641338227775"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1152751716-1076683091994251138-1722603003212687295511612645-1418502470-1584493613"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10098613402078352602135539734065939989-1588519038-1918566596294654039175636169"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-695777077-698984173-248812513-570692136-12056550631559305476260231493-550809496"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1576362142087230519141946760416005009811787734859-682361732787409134-1838255255"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3350210911250799937405074621600912578226001829-17876941981277194111-57114765"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-167734706320962769-851151382-131476424-1665743739934410213-488016128-1164520450"
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads